致远OA帆软报表组件前台XXE漏洞挖掘过程

一:挖掘过程

分析 xml 文件

/A8/ApacheJetspeed/webapps/seeyonreport/WEB-INF/web.xml

找到并分析对url: /seeyonreport/SeeyonReportServiceServlet 的请求处理类 com.seeyon.ctp.seeyonreport.service.SeeyonReportServiceServlet

<servlet>
    <servlet-name>SeeyonReportServiceServlet</servlet-name>
    <servlet-class>com.seeyon.ctp.seeyonreport.service.SeeyonReportServiceServlet</servlet-class>
    <load-on-startup>2</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>SeeyonReportServiceServlet</servlet-name>
    <url-pattern>/SeeyonReportServiceServlet</url-pattern>
</servlet-mapping>

跟入 ServletdoPost 方法中

protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
}

找到 case SELECT流程

case SELECT:
    this.execSelect(request, response);
    break;

跟入 this.execSelect 函数,如下:

public void execSelect(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    PrintWriter pw = response.getWriter();
    String dataSetName = request.getParameter("dataSetName");
    List<String> tableDataNames = SeeyonReportCommonUtil.getTemplateServerTableDataNames(dataSetName);
    Collections.sort(tableDataNames);
    String json = JSONHelper.list2json(tableDataNames);
    pw.write(json);
    pw.close();
}

获取了下 dataSetName 请求参数的值,传入 SeeyonReportCommonUtil.getTemplateServerTableDataNames() 函数,继续跟进:

public static List<String> getTemplateServerTableDataNames(String cptName) {
    List<String> tableDataNames = getTemplateTableDataNames(cptName);
    List<String> serverDataSet = new ArrayList();
    List<String> allDataSet = getTemplateAllTableDataNames(cptName);
    Iterator iter = allDataSet.iterator();

    while(iter.hasNext()) {
        String name = (String)iter.next();
        if (!tableDataNames.contains(name)) {
            serverDataSet.add(name);
        }
    }

    return serverDataSet;
}

参数值先进入了 getTemplateTableDataNames ,然后又传入了 getTemplateAllTableDataNames 函数。

看一下后面的 getTemplateAllTableDataNames 函数(部分代码省略):

public static List<String> getTemplateAllTableDataNames(String cptName) {
    List<Element> rEles = getWorkBookElement(WorkBook.Report, cptName);
    List<String> serverDataSet = new ArrayList();
    if (!rEles.isEmpty()) {
        Iterator var3 = rEles.iterator();
        while(var3.hasNext()) {
            ……
                }
    }
    return serverDataSet;
}

发现开始的请求参数 dataSetName 的值被当做 cptName,传入 getWorkBookElement(WorkBook.Report, cptName)函数中,继续跟进:

public static List<Element> getWorkBookElement(WorkBook wb, String cptName) {
    Env env = FRContext.getCurrentEnv();
    List eles = null;

    try {
        SAXReader reader = new SAXReader();
        boolean isExist = env.isTemplateExist(cptName);
        if (isExist) {
            String reportPath = StableUtils.pathJoin(new String[]{env.getPath(), "reportlets", cptName});
            File file = new File(reportPath);
            Document document = reader.read(file);
            Element root = document.getRootElement();
            List<Element> childElements = root.elements();
            if (!childElements.isEmpty()) {
                Iterator var11 = childElements.iterator();

                while(var11.hasNext()) {
                    Element el = (Element)var11.next();
                    if (el.getName().equals(wb.name())) {
                        eles = el.elements();
                        break;
                    }
                }
            }
        }
    } catch (Exception var13) {
        LOG.error(var13);
    }

    return eles;
}

可以发现 cptName 貌似被拼接到了路径中,进入 StableUtils.pathJoin 也没发现对特殊字符的过滤,到这里其实已经可以通过 ../ 跳目录,控制 reportPath 值,传入一个我们指定的文件路径

String reportPath = StableUtils.pathJoin(new String[]{env.getPath(), "reportlets", cptName})

再结合 xxe 的示范级写法:

SAXReader reader = new SAXReader();
File file = new File(reportPath);
Document document = reader.read(file);

只要传入一个带有 XXE 载荷的本地文件路径,就可以触发 XXE 漏洞了。

正好,2019 年HW行动期间爆出来一个 帆软报表v8.0 Getshell漏洞,里面就有一个 未授权插件上传,文件内容可控并且路径固定:

/A8/ApacheJetspeed/webapps/seeyonreport/WEB-INF/cache/temp.zip

当然,如果有其他可以控制上传文件内容的方法,也可以。

二:利用方法构造

  1. 通过未授权插件上传,将 XXE 载荷保存到固定路径文件:

/A8/ApacheJetspeed/webapps/seeyonreport/WEB-INF/cache/temp.zip

  1. 通过 /seeyonreport/SeeyonReportServiceServlet 接口,跳目录后,使用 SAXReade 读取 temp.zip 文件即可。

三:影响范围

粗测了下,至少下面几个版本存在此漏洞:

致远A6-V5 V6.1
致远A6-V5 V6.1SP1
致远A8-V5 V6.1SP1
致远A8-V5 V6.1SP2

标签   

24 评论

  1. Arthurplorb
    /回复

    Good post, thank you!

  2. Angelocax
    /回复

    Interesting, I'm following the thread.

  3. vad &auml;r halloumi
    /回复

    There's certainly a lot to find out about this topic. I like all of the points you made. vad &auml;r halloumi fistm.teswomango.com/map7.php

  4. MichaelLES
    /回复

    Прывітанне, я хацеў даведацца Ваш прайс.

  5. Jessethurf
    /回复

    我读书喝酒 CocaCola 谢谢你的信息!

  6. NatashiiklSog
    /回复

    嗨! 我可以在这个网站上切换语言吗? How do I switch the language?

  7. Janebuscadda
    /回复

    XEvil-最好的验证码求解工具,具有无限数量的解决方案,没有线程数限制和最高精度! XEvil5.0支持超过12.000类型的图像验证码,包括ReCaptcha,Google captcha,Yandex captcha,Microsoft captcha,Steam captcha,SolveMedia,ReCaptcha-2和(是的!!!)ReCaptcha-3了。 1.) 灵活: 您可以调整非标准验证码的逻辑 2.) 简单: 只需启动XEvil,按1按钮-它将自动接受来自您的应用程序或脚本的验证码 3.) 快: 0,01对于简单的验证码秒,关于20..40秒的ReCaptcha-2,约5。..8秒的ReCaptcha-3 您可以将XEvil与任何SEO/SMM软件,密码检查器的任何解析器,任何分析应用程序或任何自定义脚本一起使用: XEvil支持大多数知名的反验证码服务 API: 2Captcha, RuCaptcha, AntiGate (Anti-Captcha.com), DeathByCaptcha, etc. 有兴趣吗? 只需在YouTube"XEvil"中搜索即可获取更多信息 你读这个-那么它的工作原理! ;))) P.S. 新的XEvil6.0将解决hCaptcha,FunCaptcha和ReCaptcha Enterprize

  8. Josephomict
    /回复

    I just want to say thank you for this great website. I found a solution here on landgrey.me for my issue.

  9. JaimeBug
    /回复

    Заказать бады ради мужчин для повышения либидо и потенции, китайская медицина. Женские возбудители и афродизиаки. Однако дозволительно Обещать тут : fito-shop.in.ua

  10. scandic norra bantorget spa
    /回复

    Howdy! I know this is kinda off topic however , I'd figured I'd ask. Would you be interested in trading links or maybe guest authoring a blog article or vice-versa? My blog discusses a lot of the same subjects as yours and I believe we could greatly benefit from each other. If you're interested feel free to send me an email. I look forward to hearing from you! Wonderful blog by the way! scandic norra bantorget spa daisfe.prizsewoman.com/map16.php

  11. snygg jacka med p&auml;lskrage
    /回复

    Hey there! I just would like to give you a big thumbs up for the excellent info you've got here on this post. I'll be coming back to your web site for more soon. snygg jacka med p&auml;lskrage dexmi.sewomabest.com/map4.php

  12. schalins ringar himla
    /回复

    I'm impressed, I have to admit. Seldom do I encounter a blog that's both educative and amusing, and let me tell you, you have hit the nail on the head. The issue is something that not enough folks are speaking intelligently about. I'm very happy that I stumbled across this in my search for something concerning this. schalins ringar himla cada.sewomabest.com/map6.php

  13. epa traktor regler
    /回复

    What a stuff of un-ambiguity and preserveness of valuable knowledge on the topic of unpredicted emotions. epa traktor regler taubr.prizsewoman.com/map15.php

  14. thai deodorant stone
    /回复

    Asking questions are genuinely good thing if you are not understanding anything completely, except this paragraph provides good understanding yet. thai deodorant stone pote.prizsewoman.com/map7.php

  15. dax vax schampo
    /回复

    It's amazing in favor of me to have a website, which is valuable for my knowledge. thanks admin dax vax schampo callea.teswomango.com/map13.php

  16. h&aring;l i &ouml;ronen halmstad
    /回复

    What i don't understood is in truth how you are no longer actually much more smartly-favored than you may be now. You're so intelligent. You understand therefore considerably in terms of this matter, made me in my opinion believe it from so many various angles. Its like women and men aren't interested until it is something to accomplish with Woman gaga! Your individual stuffs great. Always deal with it up! h&aring;l i &ouml;ronen halmstad contwe.sewomabest.com/map4.php

  17. varf&ouml;r fungerar inte wifi
    /回复

    Great article. varf&ouml;r fungerar inte wifi lilfa.teswomango.com/map21.php

  18. Micheline
    /回复

    Дивитися фільми онлайн в HD якості українською мовою Стоп земля

  19. line of oslo
    /回复

    I am regular visitor, how are you everybody? This paragraph posted at this web site is in fact fastidious. line of oslo perwei.teswomango.com/map8.php

  20. digital febertermometer b&auml;st i test
    /回复

    I am sure this post has touched all the internet viewers, its really really pleasant piece of writing on building up new blog. digital febertermometer b&auml;st i test blowhb.sewomabest.com/map11.php

  21. gta 5 mechanic
    /回复

    If some one wishes expert view regarding blogging and site-building afterward i recommend him/her to pay a quick visit this webpage, Keep up the pleasant work. gta 5 mechanic corsby.sewomabest.com/map8.php

  22. Rudy
    /回复

    You must first sign up on the website of the company for your first welcome bonus 1xBet. Once you have done that, you are able to make 1xBet on the internet. Download the mobile application to begin playing casinos or bets on sports. 1xbet is available on many smartphones, including Android and IOS smartphones. You can access the program from smartphones, tablets, and Android TV Box. The code is copied and input when you register to earn an extra bonus. for the computer 1xs _ 10220, for the mobile device 1xs _ 10221 1Xbet Bonus Download 1xbet mobile bonus – 1xbetbonuses.com (1xbetbonuses.com)

  23. JamesFlura
    /回复

    }

  24. vad &auml;r fibersirap
    /回复

    What's up i am kavin, its my first occasion to commenting anywhere, when i read this post i thought i could also create comment due to this good piece of writing. vad &auml;r fibersirap greens.sewomabest.com/map13.php

评论