Huaxia ERP Information Leakage

Enterprise 2023-08-18 19:43:18 views: null

Statement
This article is only for technical communication, please do not use it for illegal purposes.
Any direct or indirect consequences and losses caused by the dissemination and utilization of the information provided in this article shall be the responsibility of the user himself, and the author of the article shall not be liable for any responsibility.
The author of the article has the right to modify and interpret this article. If you want to reprint or disseminate this article, you must ensure the integrity of this article, including all content such as the copyright statement. Without permission, the content of this article shall not be modified or added or deleted arbitrarily, and shall not be used for commercial purposes in any way.
 

Vulnerability principle

Huaxia ERP is an enterprise resource planning (ERP) software designed to provide enterprises with comprehensive information management and integration solutions to improve efficiency, reduce costs and optimize business processes. The software helps businesses manage various business functions such as finance, sales, purchasing, inventory, production planning, and more. It also has reporting and analytics capabilities that allow businesses to better understand their business operations. Huaxia ERP is usually used for small and medium-sized enterprises.

The Huaxia ERP front desk leaked an API interface. Malicious attackers can call this interface to gain unauthorized access to the user's account and password. After obtaining the account and password, the malicious attacker can take over the background.

exploit

 

POC:

/jshERP-boot/user/getAllList;.ico By accessing this interface, the front desk obtains the account password of the background user without authorization

 The password password is decrypted using MD5

Log in

 

defense method

  1. Enhanced Access Control: Restrict access to sensitive information to only authorized personnel. Use technologies such as authentication, rights management, and multi-factor authentication to ensure only authorized personnel have access to sensitive information.

  2. Data encryption: Encrypt sensitive information to ensure that even if data leaks, attackers cannot directly obtain useful information.

  3. Regular backup and disaster recovery plan: Regularly back up sensitive information and establish an effective disaster recovery plan so that data can be quickly restored in the event of a data breach.

  4. Security audit and monitoring: Establish a security audit and monitoring mechanism to detect and respond to potential data leakage incidents in a timely manner.

  5. Strengthen network security protection: Use firewalls, intrusion detection systems, anti-virus software and other security tools to detect and prevent potential attacks in a timely manner.

  6. Regularly update and patch software vulnerabilities: Update and patch system and application vulnerabilities in a timely manner to reduce the possibility of attackers exploiting vulnerabilities to obtain sensitive information.

Guess you like

Origin blog.csdn.net/qq_56698744/article/details/132133590
Recommended
The “35-year-old curse” of Chinese coders
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Ranking
Methods and Practices of Manufacturing Data Quality Improvement
Serial port upgrade program for efficient transmission of large firmware
Use KITTI to run LIOSAM and complete the EVO evaluation
Calling methods on string literals (Java)
ActiveMQ and Spring integration (4)
You have to know the HTTPS! ! !
PAT whether Structures and Algorithms 7-4 with a binary search tree (40 rows streamlined structure)
el-upload brings request background
UVA - 1204 Fun Game-like pressure dp
2019-12-28
Daily
More
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)

Code World

© 2018 codetd.com