CVE-2022-36171: Arbitrary file deletion in MapGIS IGServer 10.5.6.11 · Issue #2 · prismbreak/vulnerabilities

1.

Search with syntax title="IGServer" && port="8089" in https://fofa.info/ and you can see the servers running MapGIS IGServer

2.

To exploit this vulnerability requires login, however the credential is hardcoded in the top right corner of login form, hover mouse on the question mark and you can see the password.
Select a server as target, then click “登录” on the top right corner, then hover your mouse on the question mark

3.

Now you got the credential. Login and click “设置” option with a setting mark on the top panel, then click “数据源管理” and scroll down to the bottom of the page, then click "添加文件夹", now you can explore every folder and file on the server, you can use it to select the target you want to delete later.

4.

Now click "服务管理配置". This is where the vulnerability occurs. In this panel, you can upload and delete json files. Click the blue “上传” button to upload a json file if there is no any files. After uploaded your files, click the red “删除” button and intercept the request
**Note that because of some priviledge issue not every server can successfully upload files. In this case, you can access the url directly: ** /manager/servicehub/vtiles/styles/delete

5.

The fileName parameter accepts a filename as value. Because of lack of validation, you can use …/ to perform path traversal to delete arbitrary file.
As mentioned in step 3. , we can explore any files. So we can use it to choose a target. In this case, I’m going to choose /etc/login.defs as target.

Then, input …/…/…/…/…/…/…/…/…/…/…/etc/login.defs payload in the fileName parameter, then send it. As shown in response, you can see the json format key “code” and value "1", which stands for delete successfull.

Go to the file explore function mentioned in step 3 and go in to /etc folder, you can see now the login.defs is gone, file successfully deleted.