POC详情: 9450286d89f502702a474eb9c7241991d3c448c8

来源
https://github.com/geraldoalcantara/CVE-2023-49980
关联漏洞
标题: Best Student Result Management System和ecto 安全漏洞 (CVE-2023-49980)
描述:Best Student Result Management System是Mayuri K.个人开发者的一个学生成绩管理系统。 Best Student Result Management System v1.0 版本存在安全漏洞,该漏洞源于目录列表的逻辑漏洞,可以不受限制的列出程序中的目录和敏感文件。
描述
Best Student Result Management System 1.0 - Directory Listing CVE-2023-49980
介绍
# CVE-2023-49980
# Best Student Result Management System 1.0 - Directory Listing

**Description**: Best Student Result Management System 1.0 is vulnerable to Broken Access Control. The Directory Listing vulnerability allows any remote attacker to view the application's sensitive files within the includes and assets directories of the application without any authorization.

**Vulnerable Product Version**: Best Student Result Management System 1.0  
**CVE Author**: Geraldo Alcântara  
**Date**: 28/11/2023  
**Confirmed on**: 19/12/2023  
**CVE**: CVE-2023-49980   
**Tested on**: Windows  
### Steps to reproduce:  
1. Navigate to URL: http://{IP}/upresult/includes/ or http://{IP}/upresult/assets/. I found out that many important files of application can be accessed directly from this directory listing.  

Accessing the directory /includes/  
![dir01](https://github.com/geraldoalcantara/dir-listin-Best_Student_Result_Management_System/assets/152064551/3f06fea7-0265-482c-9d1c-0c14575d2e33)  

Accessing the directory /assets/  
![dir02](https://github.com/geraldoalcantara/dir-listin-Best_Student_Result_Management_System/assets/152064551/e06b7357-b22a-4a60-a55c-c92b5c67ed01)  

Discoverer(s)/Credits:  
Geraldo Alcântara
文件快照

 [4.0K]  /data/pocs/9450286d89f502702a474eb9c7241991d3c448c8
└── [1.2K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。