novel-plus icon indicating copy to clipboard operation
novel-plus copied to clipboard

Published 20 hours ago verified publisher icon 201206030

Novel-plus-install-v3.5.3-Druid Unauthorized access

Open Al1ex opened this issue 3 years ago • 2 comments

Information

Exploit Title:Novel-plus-install-v3.5.3-Druid Unauthorized access Exploit date:01.06.2021 Exploit Author:Al1ex@Heptagram Vendor Homepage:https://github.com/201206030/novel-plus Affect Version:novel-plus-install-v3.5.3 Description:Novell plus system carries Druid component, and the permission check is verified by Shiro. However, Shiro has wrong configuration when checking permission, which leads to unauthorized access of Druid in Novell plus. Attackers can use this vulnerability to obtain sensitive information, such as database link address, database user name, valid session information, etc.

How to Exploit

Step 1:After setting up the Novell plus environment, visit the following connections http://192.168.174.1:8088/druid/index.html image image image image

Code Analysis

https://github.com/201206030/novel-plus/blob/develop_xxy/novel-admin/src/main/java/com/java2nb/common/config/ShiroConfig.java#L78 Anon here means to allow any user to access, while authc needs to check the permissions. You can see that Druid has unauthorized access. image

Suggestion

Change anon to authc for permission checking

Al1ex avatar Jun 01 '21 02:06 Al1ex

Thanks for the advice

---Original--- From: @.> Date: Tue, Jun 1, 2021 10:53 AM To: @.>; Cc: @.***>; Subject: [201206030/novel-plus] Novel-plus-install-v3.5.3-Druid Unauthorized access (#46)

Information

Exploit Title:Novel-plus-install-v3.5.3-Druid Unauthorized access Exploit date:01.06.2021 Exploit Author:Al1ex@Heptagram Vendor Homepage:https://github.com/201206030/novel-plus Affect Version:novel-plus-install-v3.5.3 Description:Novell plus system carries Druid component, and the permission check is verified by Shiro. However, Shiro has wrong configuration when checking permission, which leads to unauthorized access of Druid in Novell plus. Attackers can use this vulnerability to obtain sensitive information, such as database link address, database user name, valid session information, etc.

How to Exploit

Step 1:After setting up the Novell plus environment, visit the following connections http://192.168.174.1:8088/druid/index.html

Code Analysis

https://github.com/201206030/novel-plus/blob/develop_xxy/novel-admin/src/main/java/com/java2nb/common/config/ShiroConfig.java#L78 Anon here means to allow any user to access, while authc needs to check the permissions. You can see that Druid has unauthorized access.

Suggestion

Change anon to authc for permission checking

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

201206030 avatar Jun 01 '21 04:06 201206030

已设置登录后才能查看

201206030 avatar Jun 01 '21 14:06 201206030