Associated Vulnerability
Title:ownCloud 安全漏洞 (CVE-2023-49103)Description:ownCloud是美国ownCloud公司的一套个人云存储解决方案。 ownCloud graphapi 0.2.1 之前、0.3.1 之前版本存在安全漏洞,该漏洞源于graphapi 应用程序依赖于提供 URL 的第三方 GetPhpInfo.php 库,当访问此 URL 时,它会显示 PHP 环境 (phpinfo) 的配置详细信息,这些信息包括网络服务器的所有环境变量,在容器化部署中,这些环境变量可能包括敏感数据,例如 ownCloud 管理员密码、邮件服务器凭据和许可证密钥,攻击者利用该漏洞可以从
Description
This is a simple proof of concept for CVE-2023-49103.
Readme
<div align="center">
# 🇮🇱 **#BringThemHome #NeverAgainIsNow** 🇮🇱
**We demand the safe return of all citizens who have been taken hostage by the terrorist group Hamas. We will not rest until every hostage is released and returns home safely. You can help bring them back home.
https://stories.bringthemhomenow.net/**
[](https://twitter.com/Itsd0r)
</div>
# Exploit for CVE-2023-49103
## Background
ownCloud is a file sharing platform designed for enterprise environments. On November 21, 2023, ownCloud disclosed CVE-2023-49103, an unauthenticated information disclosure vulnerability affecting ownCloud, when a vulnerable extension called “Graph API” (graphapi) is present. If ownCloud has been deployed via Docker, from February 2023 onwards, this vulnerable graphapi component is present by default. If ownCloud has been installed manually, the graphapi component is not present by default.
Searching for ownCloud via Shodan indicates there are at least 12,320 instances on the internet (as of Dec 1, 2023). It is unknown how many of these are currently vulnerable.
File transfer and sharing platforms have come under attack from ransomware groups in the past, making this a target of particular concern, as ownCloud is also a file sharing platform. On November 30, 2023, CISA added CVE-2023-49103 to its known exploitable vulnerabilities (KEV) list, indicating threat actors have begun to exploit this vulnerability in the wild. Rapid7 Labs has observed exploit attempts against at least three customer environments as of writing this blog.
## Vulnerability Details
The vulnerability allows an unauthenticated attacker to leak sensitive information via the output of the PHP function `phpinfo`, when targeting the URI endpoint `/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php`. This output will include environment variables which may hold secrets, such as user names or passwords that are supplied to the ownCloud system. Specifically, when ownCloud is deployed via Docker, it is common practice to pass secrets via environment variables.
It was initially thought that Docker installations of ownCloud were not exploitable. However, Rapid7 researchers confirmed that it is possible to exploit vulnerable Docker-based installations of ownCloud by modifying the requested URI to bypass the existing Apache web server’s rewrite rules, allowing the target URI endpoint to be successfully reached.
File Snapshot
[4.0K] /data/pocs/1d5b218206d444b5810d07a2afcbd6bddf7aa766
├── [1007] PoC.py
└── [2.5K] README.md
0 directories, 2 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.