From 4b3ef3622138fa086805b6b6553e1b0e1bc5c1b6 Mon Sep 17 00:00:00 2001
From: Goby <50955360+gobysec@users.noreply.github.com>
Date: Fri, 7 Jul 2023 15:31:27 +0800
Subject: [PATCH] Create
 Huatian-OA8000_MyHttpServlet_reportFile_Arbitrary_File_Upload_Vulnerability.md

add Huatian-OA8000 MyHttpServlet reportFile Arbitrary File Upload Vulnerability
---
 ...reportFile_Arbitrary_File_Upload_Vulnerability.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 Huatian-OA8000_MyHttpServlet_reportFile_Arbitrary_File_Upload_Vulnerability.md

diff --git a/Huatian-OA8000_MyHttpServlet_reportFile_Arbitrary_File_Upload_Vulnerability.md b/Huatian-OA8000_MyHttpServlet_reportFile_Arbitrary_File_Upload_Vulnerability.md
new file mode 100644
index 0000000..b503b3e
--- /dev/null
+++ b/Huatian-OA8000_MyHttpServlet_reportFile_Arbitrary_File_Upload_Vulnerability.md
@@ -0,0 +1,12 @@
+## Huatian-OA8000 MyHttpServlet reportFile Arbitrary File Upload Vulnerability
+
+|   **Vulnerability**  | **Huatian-OA8000 MyHttpServlet reportFile Arbitrary File Upload Vulnerability**  |
+| :----:   | :-----|
+| **Chinese name**  | 华天动力-OA8000 MyHttpServlet 文件 reportFile 参数文件上传漏洞 |
+| **CVSS core**  | 8.6 |
+| **FOFA Query**  (click to view the results directly)| [body="/OAapp/WebObjects/OAapp.woa"](https://en.fofa.info/result?qbase64=Ym9keT0iL09BYXBwL1dlYk9iamVjdHMvT0FhcHAud29hIg%3D%3D) |
+| **Number of assets affected**  | 2226 |
+| **Description**  | Huatian-OA8000 is a combination of advanced management ideas, management models, software technology and network technology, providing users with a low-cost, high-efficiency collaborative office and management platform.There is an arbitrary file upload vulnerability in Huatian Power OA MyHttpServlet. Attackers can upload malicious raq files and execute arbitrary sql statements in the raq files to obtain sensitive information such as user account passwords. |
+| **Impact** | 	There is an arbitrary file upload vulnerability in Huatian Power OA MyHttpServlet. Attackers can upload malicious raq files and execute arbitrary sql statements in the raq files to obtain sensitive information such as user account passwords. |
+
+![](https://s3.bmp.ovh/imgs/2023/07/07/ee0dff7305687815.gif)