mirror of https://github.com/qwqdanchun/Goby.git
149 lines
7.3 KiB
JSON
149 lines
7.3 KiB
JSON
{
|
||
"Name": "GravCMS Unauthenticated Code Execution Vulnerability",
|
||
"Description": "<p><span style=\"font-size: 16.96px;\">Grav is a scalable CMS (Content Management System) for personal blogs, small content publishing platforms, and single-page product displays.</span></p><p><span style=\"font-size: 16.96px;\">In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without needing any credentials. Particular method execution will result in arbitrary YAML file creation or content change of existing YAML files on the system. Successfully exploitation of that vulnerability results in configuration changes, such as general site information change, custom scheduler job definition, etc. Due to the nature of the vulnerability, an adversary can change some part of the webpage, or hijack an administrator account, or execute operating system command under the context of the web-server user. This vulnerability is fixed in version 1.10.8. Blocking access to the /admin path from untrusted sources can be applied as a workaround.</span><br></p>",
|
||
"Product": "GravCMS",
|
||
"Homepage": "https://getgrav.org/",
|
||
"DisclosureDate": "2022-04-03",
|
||
"Author": "sharecast.net@gmail.com",
|
||
"FofaQuery": "body=\"GravCMS\"",
|
||
"GobyQuery": "body=\"GravCMS\"",
|
||
"Level": "3",
|
||
"Impact": "<p>Attackers can use this vulnerability to arbitrarily execute code on the server side, write backdoors, obtain server permissions, and then control the entire web server.<br></p>",
|
||
"Recommendation": "<p>At present, the manufacturer has released an upgrade patch to fix the vulnerability. The link to obtain the patch:</p><p><a href=\"https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-6f53-6qgv-39pj\">https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-6f53-6qgv-39pj</a></p>",
|
||
"References": [
|
||
"https://pentest.blog/unexpected-journey-7-gravcms-unauthenticated-arbitrary-yaml-write-update-leads-to-code-execution/"
|
||
],
|
||
"Is0day": false,
|
||
"HasExp": true,
|
||
"ExpParams": [
|
||
{
|
||
"name": "AttackType",
|
||
"type": "createSelect",
|
||
"value": "goby_shell_linux,goby_shell_win",
|
||
"show": ""
|
||
}
|
||
],
|
||
"ExpTips": {
|
||
"Type": "",
|
||
"Content": ""
|
||
},
|
||
"ScanSteps": [
|
||
"AND",
|
||
{
|
||
"Request": {
|
||
"method": "GET",
|
||
"uri": "/test.php",
|
||
"follow_redirect": true,
|
||
"header": {},
|
||
"data_type": "text",
|
||
"data": ""
|
||
},
|
||
"ResponseTest": {
|
||
"type": "group",
|
||
"operation": "AND",
|
||
"checks": [
|
||
{
|
||
"type": "item",
|
||
"variable": "$code",
|
||
"operation": "==",
|
||
"value": "200",
|
||
"bz": ""
|
||
},
|
||
{
|
||
"type": "item",
|
||
"variable": "$body",
|
||
"operation": "contains",
|
||
"value": "test",
|
||
"bz": ""
|
||
}
|
||
]
|
||
},
|
||
"SetVariable": []
|
||
}
|
||
],
|
||
"ExploitSteps": [
|
||
"AND",
|
||
{
|
||
"Request": {
|
||
"method": "GET",
|
||
"uri": "/test.php",
|
||
"follow_redirect": true,
|
||
"header": {},
|
||
"data_type": "text",
|
||
"data": ""
|
||
},
|
||
"ResponseTest": {
|
||
"type": "group",
|
||
"operation": "AND",
|
||
"checks": [
|
||
{
|
||
"type": "item",
|
||
"variable": "$code",
|
||
"operation": "==",
|
||
"value": "200",
|
||
"bz": ""
|
||
},
|
||
{
|
||
"type": "item",
|
||
"variable": "$body",
|
||
"operation": "contains",
|
||
"value": "test",
|
||
"bz": ""
|
||
}
|
||
]
|
||
},
|
||
"SetVariable": []
|
||
}
|
||
],
|
||
"Tags": [
|
||
"Code Execution"
|
||
],
|
||
"VulType": [
|
||
"Code Execution"
|
||
],
|
||
"CVEIDs": [
|
||
"CVE-2021-21425"
|
||
],
|
||
"CNNVD": [
|
||
"CNNVD-202104-406"
|
||
],
|
||
"CNVD": [
|
||
""
|
||
],
|
||
"CVSSScore": "9.8",
|
||
"Translation": {
|
||
"CN": {
|
||
"Name": "GravCMS 未认证代码执行漏洞",
|
||
"Product": "GravCMS",
|
||
"Description": "<p>Grav是一套可扩展的用于个人博客、小型内容发布平台和单页产品展示的CMS(内容管理系统)。</p><p>在 1.10.7 及更早的版本中,未经身份验证的用户无需任何凭据即可执行管理员控制器的某些方法。 特定的方法执行将导致任意 YAML 文件的创建或系统上现有 YAML 文件的内容更改。 成功利用该漏洞会导致配置更改,例如一般站点信息更改、自定义调度程序作业定义等。由于漏洞的性质,攻击者可以更改网页的某些部分,或劫持管理员帐户,或执行 网络服务器用户上下文下的操作系统命令。 此漏洞已在 1.10.8 版本中修复。 阻止从不受信任的来源访问 /admin 路径可以作为一种解决方法。<br></p>",
|
||
"Recommendation": "<p><a target=\"_Blank\" href=\"https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-6f53-6qgv-39pj\"></a></p><p>目前厂商已发布升级补丁以修复漏洞,补丁获取链接:</p><p><a href=\"https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-6f53-6qgv-39pj\">https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-6f53-6qgv-39pj</a></p>",
|
||
"Impact": "<p>攻击者可通过该漏洞在服务器端任意执行代码,写入后门,获取服务器权限,进而控制整个web服务器。<br></p>",
|
||
"VulType": [
|
||
"代码执⾏"
|
||
],
|
||
"Tags": [
|
||
"代码执⾏"
|
||
]
|
||
},
|
||
"EN": {
|
||
"Name": "GravCMS Unauthenticated Code Execution Vulnerability",
|
||
"Product": "GravCMS",
|
||
"Description": "<p><span style=\"font-size: 16.96px;\">Grav is a scalable CMS (Content Management System) for personal blogs, small content publishing platforms, and single-page product displays.</span></p><p><span style=\"font-size: 16.96px;\">In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without needing any credentials. Particular method execution will result in arbitrary YAML file creation or content change of existing YAML files on the system. Successfully exploitation of that vulnerability results in configuration changes, such as general site information change, custom scheduler job definition, etc. Due to the nature of the vulnerability, an adversary can change some part of the webpage, or hijack an administrator account, or execute operating system command under the context of the web-server user. This vulnerability is fixed in version 1.10.8. Blocking access to the /admin path from untrusted sources can be applied as a workaround.</span><br></p>",
|
||
"Recommendation": "<p>At present, the manufacturer has released an upgrade patch to fix the vulnerability. The link to obtain the patch:</p><p><a href=\"https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-6f53-6qgv-39pj\">https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-6f53-6qgv-39pj</a></p>",
|
||
"Impact": "<p>Attackers can use this vulnerability to arbitrarily execute code on the server side, write backdoors, obtain server permissions, and then control the entire web server.<br></p>",
|
||
"VulType": [
|
||
"Code Execution"
|
||
],
|
||
"Tags": [
|
||
"Code Execution"
|
||
]
|
||
}
|
||
},
|
||
"AttackSurfaces": {
|
||
"Application": null,
|
||
"Support": null,
|
||
"Service": null,
|
||
"System": null,
|
||
"Hardware": null
|
||
}
|
||
} |