关联漏洞
标题:
Gurock Software Gurock TestRail 信息泄露漏洞
(CVE-2021-40875)
描述:Gurock Software Gurock TestRail是德国Gurock Software公司的一套基于Web的、用于QA和开发团队的测试用例管理软件。该软件支持创建测试用例、管理测试套件和协调测试过程等。 Gurock Software Gurock TestRail 7.2.0.3014之前版本存在信息泄露漏洞,攻击者可利用该漏洞访问Gurock TestRail应用程序客户端的/files.md5文件,公开应用程序文件的完整列表和相应的文件路径,探测相应的文件路径,在某些情况下,会导致硬编码
描述
CVE-2021-40875: Tools to Inspect Gurock Testrail Servers for Vulnerabilities related to CVE-2021-40875.
介绍
# derailed
CVE-2021-40875: Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.
# Credits
John Jackson
Twitter: https://twitter.com/johnjhacking
SickCodes
Twitter: https://twitter.com/sickcodes
# Summary
Why use this script? Why not just build a standard list of sensitive files?
Building a custom list would certainly work, however, in many cases it was observed that the TestRail application had custom files - which would be good to check during the recon phase. If you want, you can run the python script to grab a custom list of files to check with dirsearch. This is a more manual method if you're not interested in downloading any of the files, otherwise, just run the bash script to do everything for you.
# Usage
Python Script
```
git clone https://github.com/SakuraSamuraii/derailed.git
cd ./derailed
python3 derailed.py
---> give it the url of the target without the md5 path (https://foo.com)
```
Run dirsearch or your preferred fuzzing tool against the list. You'll noticed that a lot of the files a fairly standard in size (0B/15B or 25B/31B/32MB -- avoid those files as they are likely of no use to you)
```
sudo dirsearch -w derailed.txt -u 'https://foo.com' -x 300,301,302,303,304,305,400,401,402,403,404,405,406,500,501,502,503,504 > paths.txt
```
Running the Bash Script (Note - will download the files into an output folder, proceed with caution)
```
bash derailed.sh 'https://target'
```
文件快照
[4.0K] /data/pocs/4137c82857e83be1c7d2822bdce78045519ea37d
├── [ 581] derailed.py
├── [2.2K] derailed.sh
├── [406K] files.md5.txt
└── [1.8K] README.md
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。