关联漏洞
标题:
N/A
(CVE-2024-57609)
描述:Kanaries Inc Pygwalker 在 v.0.4.9.9 之前的版本中存在一个问题,允许远程攻击者通过登录重定向功能的 redirect_path 参数获取敏感信息并执行任意代码。
描述
Open Redirect Vulnerability in Kanaries
介绍
# Open Redirect Vulnerability in Kanaries
Vendor Homepage: https://kanaries.net/
Poc Video: https://drive.google.com/file/d/1kqfbmx1W6UgSs56gOLOsUFiGcvKrIyW9/view?usp=sharing
## Step-by-Step Exploitation Guide
### 1. Go to the Website
Navigate to the [Kanaries website](https://kanaries.net).
### 2. Initiate Login/Sign Up
- Click on the **"Log in / Sign up"** button on the homepage.
- This redirects you to:https://kanaries.net/access?redirect_path=https%3A%2F%2Fkanaries.net%2Fhome
### 3. Modify the Redirect Parameter
- Change the `redirect_path` parameter to a malicious site, such as:
https://kanaries.net/access?redirect_path=https%3A%2F%2Fbing.com
### 4. Trigger the Redirect
- Click on **"Login With GitHub"** or **"Login With Google"** to initiate the login process.
- Instead of being redirected back to the intended page (`kanaries.net`), you are redirected to `bing.com` (or any malicious URL specified in the `redirect_path` parameter).
# poc image
文件快照
[4.0K] /data/pocs/dcf756149b7f44b07ee141b8b372548a78bd3392
└── [1020] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。