漏洞描述
Golang expvar function exposes multiple public variables via HTTP such as stack trace information and server operation counters.
debug-vars: Golang Expvar - Detect
PoC代码[已公开]
id: debug-vars
info:
name: Golang Expvar - Detect
author: luqman
severity: low
verified: true
description: Golang expvar function exposes multiple public variables via HTTP such as stack trace information and server operation counters.
tags: go,debug,exposure
rules:
r0:
request:
method: GET
path: /debug/vars
expression: response.status == 200 && response.body.bcontains(b'"memstats":') && response.body.bcontains(b'"cmdline":')
expression: r0()