Shulou(Shulou.com)05/31 Report--

This article mainly analyzes the relevant knowledge points of Gogs arbitrary user login vulnerability example analysis, the content is detailed and easy to understand, the operation details are reasonable, and it has certain reference value. If you are interested, you may wish to follow Xiao Bian to have a look. Let's follow Xiao Bian to learn the knowledge of "Gogs arbitrary user login vulnerability example analysis" in depth.

I. Background of vulnerability

Gogs is an open source file/code management system similar to GitHub (based on Git). Gogs aims to create the easiest, fastest and easiest way to set up self-service Git services. The use of Go allows Gogs to be distributed as a standalone binary and supports all platforms supported by Go, including Linux, Mac OS X, Windows, and ARM.

II. Vulnerability Description

Gogs is an easy-to-build self-service Git service platform with easy installation, cross-platform, lightweight and many users. In version 0.11.66 and earlier,(go-macaron/session library) does not check sessionid, attackers can use malicious sessionid to read arbitrary files, control session content by controlling file content, and then log in to arbitrary accounts.

III. Impact version

The affected versions are as follows:

Gogs 0.11.66 and earlier

IV. Recurrence of loopholes

(1) Using ubuntu virtual machine docker clone vulhub gogs environment

(2) Execute the following command to start gogs: docker-compose up -d

(3) After the environment is started, visit http://192.168.49.103:3000/install to see the installation page. Select sqlite database during installation and enable registration.

(4) Use Gob serialization to generate session file data.

(5) Then register a regular user account, create the project, and upload the newly generated session file on the "version release" page.

(6) Through the URL of this attachment, we know the file name of this file: ./ attachments/2eb7f1a2-b5ec-482e-a297-15b625d24a10。Then, construct Cookie: i_like_gogies =../ attachments/2/e/2eb7f1a2-b5ec-482e-a297-15b625d24a10, visit to find the user who has successfully logged in id=1 (i.e. root administrator)

V. Vulnerability analysis and exploitation

First of all, for each user, we can create a repository, through the release function can upload any content controllable files, thus providing conditions for us to forge session files.

Through the explore function, we can find many user repositories, enter a user's user profile page, we can get all the information needed to construct the user session (uid, username).

Through the above file.go code, we found that the content of the session file is Gob encoding, drawing on P Niu to generate the payload of the session.

From this, we can generate a session, and upload our fake session to the server via the release upload function available to every user.

The default configuration of gogs,release files stored in the directory structure is attachments/fid[0]/fid[1]/fid. The directory structure for storing sessions is sessions/sid[0]/sid[1]/sid. In addition, the sessions and attachments folders are stored under the same data folder.

Because gogs will segment the session, construct it into the final path and then read it, while attachments and session are in the same folder, modify the session to the path of the file we just uploaded, that is./ attachments/1/7/17f4120b-1a0d-416a-b0b0-def4342ded5b, functions that read sessions resolve paths to sessions/./././ attachments/1/7/17f4120b-1a0d-416a-b0b0-def4342ded5b is the file we uploaded, and eventually any user logs in.

VI. Suggestions for restoration

Gogs can be downloaded from Github to compile the develop branch where this vulnerability has been fixed or upgraded to the latest version of Gogs.

About "Gogs any user login vulnerability example analysis" introduced to this, more related content can search previous articles, hope to help you answer questions, please support the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.