从这个网页截图中,可以获取到以下关于漏洞的关键信息: 1. 漏洞编号:CVE-2024-50649 2. 目标系统:https://github.com/geeeeeeek/python_book 3. 版本:V1.0 4. 漏洞描述:用户头像上传功能存在任意文件上传漏洞。 5. POC: - 请求头: - :keep-alive - :keep-alive - :Chromium;v="124", "Microsoft Edge";v="124", "Not-A.Brand";v="99" - :? - :Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome - :multipart/form-data; boundary=----WebKitFormBoundaryNhamFAPxMRx91F - :application/json, text/plain, - :adminToken, token,Content-Type - :a843da0e5b67ff9043d4a14da18af70c - :Windows - :same-origin - :same-origin - :cors - :empty - :gzip, deflate, br, zstd - :gzip, deflate, br, zstd - :zh-CN, zh;q=0.9, en;q=0.8, en-GB;q=0.7, en-US;q=0.6 - :1200846 - 请求体: - :form-data; name="avatar"; filename="1.jpg" - :form-data; name="nickname" - :form-data; name="email" - :form-data; name="mobile" - :form-data; name="description" - 响应体**: - :form-data; name="avatar"; filename="1.jpg" - :form-data; name="nickname" - :form-data; name="email" - :form-data; name="mobile" - :form-data; name="description" 这些信息表明,攻击者可以通过构造特定的HTTP请求,利用任意文件上传漏洞上传恶意文件到目标系统。