泛微OA某处缺陷可遍历和操作系统文件

2016-01-15T00:00:00
ID SSV:95583
Type seebug
Reporter Root
Modified 2016-01-15T00:00:00

Description

简要描述:

RT

详细说明:

文件位于plugin\ewe\jsp\config.jsp

<% String sUsername, sPassword, aStyle, aToolbar; sUsername = "sysadmin"; sPassword = "weaversoft"; .....

编辑器的用户名密码

<img src="https://images.seebug.org/upload/201601/14144058c83d7fcfdbdb2ac614d5d8acffa1c8cf.jpg" alt="Snap300.jpg" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201601/14144347c2fde3c0b82d7df6077e35708dd4bbe2.jpg" alt="Snap301.jpg" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201601/14144353a1d4c7f1f24f6858f1a34203cd7a67d4.jpg" alt="Snap302.jpg" width="600" onerror="javascript:errimg(this);">

新建一个文档

<img src="https://images.seebug.org/upload/201601/1414463950949eea63c1757cfc515c5e2a8bdb18.jpg" alt="Snap304.jpg" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201601/141447241a9929f218756e5e875a839567355c36.jpg" alt="Snap303.jpg" width="600" onerror="javascript:errimg(this);">

删除成功

<img src="https://images.seebug.org/upload/201601/14144735370a84c5124b1d9974b090ceda755c1e.jpg" alt="Snap306.jpg" width="600" onerror="javascript:errimg(this);">

漏洞证明:

官方http://...:9085/plugin/ewe/admin/default.jsp

<img src="https://images.seebug.org/upload/201601/14145537b23a4087a5ee3bca003634bc2cdea2b2.jpg" alt="Snap307.jpg" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201601/1414554473839d7aa4a1676282d399d3877b30dc.jpg" alt="Snap309.jpg" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201601/141455537b21d9ec5516743693664544996b6a05.jpg" alt="Snap310.jpg" width="600" onerror="javascript:errimg(this);">

就不测试删除了

http://.../plugin/ewe/admin/login.jsp

<img src="https://images.seebug.org/upload/201601/14150105d2705be3101e9b9f18aba7c9a60766ce.jpg" alt="Snap311.jpg" width="600" onerror="javascript:errimg(this);">


http://...

<img src="https://images.seebug.org/upload/201601/14150206b5d996e3a549ad188f6498823782eeea.jpg" alt="Snap312.jpg" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201601/14150244feab215277dfdfa9048791e3dffa6c98.jpg" alt="Snap313.jpg" width="600" onerror="javascript:errimg(this);">