CVE-2023-34736: Arbitrary file upload vulnerability in GUANTANG Equipment Management System v4.12 · Issue #5 · prismbreak/vulnerabilities

1. Search vulnerable products on internet

Go to https://hunter.qianxin.com/, and use this syntax to search potential vulnerable products existing on internet: web.body="用户登录 - 冠唐设备管理系统"

The product source is on: https://aiqicha.baidu.com/copyright?pid=56101494946689&softId=copyright_d3417c1c60777f4d1f197cbab9eb1496

The target we are going to test is: http://cddkx.gtcmms.com/

2. Login

The default password to admin is admin : admin, it’s hardcoded on the frontend, which could be another vulnerability.

3.Explotation

After login in, click “工装模具” – “添加” button

Then it will pop up a window, in this window you don’t have to fill in anything, just click “确定” button.

Then click “相关图片” – “上传图片” button to upload a file

In the upload window, click “浏览” button to select a jpg file, and click “确定” button to upload the file. You need to intercept the request with burpsuite.

In burp, change the second “filename” parameter to aspx, and use the webshell in Kali linux: /usr/share/webshells/aspx/cmdasp.aspx

Send the request, the output will return "Invalid file format", but the file is actually uploaded.
Refresh the page, then back to the upload function, you will see that the file you uploaded is loaded as an image.

Check the request history, you will see that the website will automatically request the file you uploaded, and you got the path

Access the path in web browser, and you can execute some commands