Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

eZiosuite2.0.7_任意文件下载 eZiosuite_任意文件下载 eZiosuite2.0.7_ Any file download #1

Open
Chu1z1 opened this issue Mar 3, 2022 · 0 comments

Comments

@Chu1z1
Copy link
Owner

Chu1z1 commented Mar 3, 2022

#eZiosuite_任意文件下载 eZiosuite_任意文件下载 eZiosuite_ Any file download
##需要登陆到德实任意用户才可以利用
##Users need to log in to exploit the vulnerability
###You can find the interface at the avatar upload to obtain the key generated by the uploaded file path, modify the path of the generated key to generate a malicious key, and import the key at the avatar file reading, resulting in arbitrary file download
###可在头像上传处找到接口,获取上传文件路径生成的key,修改生成key的路径生成恶意key,可在头像文件读取处导入key,从而导致任意文件下载

##用户界面
##UI
1
##上传文件
##Upload file
2
可以修改返回路径也可以更改下一个包的路径获取key
You can modify the return path or change the path of the next package to obtain the key
3
4
↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓
##漏洞利用成功
##Successful exploit
5
请勿非法渗透!请勿未授权渗透!请勿使用该漏洞做违法犯罪活动!此文章仅供学习!造成后果与作者无关!
Do not infiltrate illegally! Do not penetrate without authorization! Please do not use this vulnerability for illegal and criminal activities! This article is for learning only! The consequences of breaking the law have nothing to do with the author!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant