Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Arbitrary file deletion in MapGIS IGServer 10.5.6.11 #2

Open
prismbreak opened this issue Jul 13, 2022 · 0 comments
Open

Arbitrary file deletion in MapGIS IGServer 10.5.6.11 #2

prismbreak opened this issue Jul 13, 2022 · 0 comments

Comments

@prismbreak
Copy link
Owner

prismbreak commented Jul 13, 2022

1.

Search with syntax title="IGServer" && port="8089" in https://fofa.info/ and you can see the servers running MapGIS IGServer
1

2.

To exploit this vulnerability requires login, however the credential is hardcoded in the top right corner of login form, hover mouse on the question mark and you can see the password.
Select a server as target, then click "登录" on the top right corner, then hover your mouse on the question mark
2

3.

Now you got the credential. Login and click "设置" option with a setting mark on the top panel, then click "数据源管理" and scroll down to the bottom of the page, then click "添加文件夹", now you can explore every folder and file on the server, you can use it to select the target you want to delete later.
3
4

4.

Now click "服务管理配置". This is where the vulnerability occurs. In this panel, you can upload and delete json files. Click the blue "上传" button to upload a json file if there is no any files. After uploaded your files, click the red "删除" button and intercept the request
**Note that because of some priviledge issue not every server can successfully upload files. In this case, you can access the url directly: ** /manager/servicehub/vtiles/styles/delete
5
6
7
8
9

5.

The fileName parameter accepts a filename as value. Because of lack of validation, you can use ../ to perform path traversal to delete arbitrary file.
As mentioned in step 3. , we can explore any files. So we can use it to choose a target. In this case, I'm going to choose /etc/login.defs as target.
10

Then, input ../../../../../../../../../../../etc/login.defs payload in the fileName parameter, then send it. As shown in response, you can see the json format key "code" and value "1", which stands for delete successfull.

11

Go to the file explore function mentioned in step 3 and go in to /etc folder, you can see now the login.defs is gone, file successfully deleted.

12

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant