Zhiyuan OA arbitrary administrator login vulnerability analysis - Code World

Zhiyuan OA arbitrary administrator login vulnerability analysis

Enterprise 2023-05-08 08:05:28 views: null

foreword

With the arrival of China's largest safety product performance test and the challenge of human physical fitness limits, all the big shots are showing their talents. At the same time, a large number of 0days have been made public. Excluding those who have been refuted, there are still many loopholes worth learning. Zhiyuan This is a combined vulnerability. First, any administrator logs in, and then getshell in the background. Because the foreground vulnerability is relatively more harmful, here we focus on analyzing the foreground vulnerability.

Detailed analysis

thirdpartyController.doZhiyuan oa uses the automatic assembly of spring, and can quickly locate the vulnerability class by searching the vulnerability URL in the xml file .

Find the problematic method according to exp.

After finding this method, you can basically see the vulnerability point at a glance. At the bottom of the method, the memberId here is controllable.

First, obtain the encoded L, M, and T parameters through the enc parameter.

Here LightWeightEncoder.decodeStringis a base64 encoding implemented by Zhiyuan itself, and the implementation method is very simple. It is to encode the plaintext into base64 first, and then add one to each encoded char. For example, the string encoded by base64 is abcd, which corresponds to bcde.

After the enc is obtained, the string will be split, first use & to split, then use = to split, and store it in the map object.

The linkType and timeStamp here are obtained from enc. timeStamp is a timestamp, we can directly use 2099 when constructing exp.

L is the connection address, the author of the vulnerability provides the message.link.doc.folder.open
same type message.link.doc.open.index, message.link.news.openetc.

M is the user id. The author of the vulnerability provides that -7273032013234748168
this value is the default id when the system is installed, and there are 4 default ids during installation, corresponding to different permissions.

"5725175934914479521"   "集团管理员"
"-7273032013234748168"  "系统管理员"
"-7273032013234748798"  "系统监控"
"-4401606663639775639"  "审计管理员"

Finally, get user information according to id through getMemberById

Finally, the poc is generated and sent, and the cookie for administrator login can be obtained

Guess you like

Origin blog.csdn.net/jd_cx/article/details/125673029

Zhiyuan OA arbitrary administrator login vulnerability analysis

Arbitrary file upload vulnerability in Zhiyuan OA-ajax.do

[Vulnerability recurrence] Tongda OA v11.7 online arbitrary user login vulnerability

[Laboratory] know Chong Yu Zhiyuan 404 OA System Remote arbitrary code execution vulnerability in high-risk security warning

Zhiyuan OA A8 Vulnerability Comprehensive Tool

There is an arbitrary file reading vulnerability in Lanling OA

Tongda OA arbitrary file deletion / OA unauthorized access + arbitrary file upload RCE vulnerability reproduction

Zhiyuan OA M1-Server RCE Vulnerability Reappears

Vulnerability analysis of unauthorized reading of arbitrary files

Tongda OA arbitrary user login reproduction (manual use & script use)

Zhiyuan OA M1Server RCE Vulnerability Reappearance (HW0day)

OA Zhiyuan use of POC

OA form creation (Zhiyuan)

Tongda OA v11.9 getdata arbitrary command execution vulnerability reproduction + exploitation

Recovering the arbitrary file reading vulnerability of Kingdee OA CommonFileServer (0day)

Zhiyuan OA willkürliche Administrator-Login-Schwachstellenanalyse

Arbitrary File Download Vulnerability

[High Risk] Fanwei e-cology9 has an arbitrary user login vulnerability

Reproduce the User Login Arbitrary File Reading Vulnerability of HUAWEI Firewall (1day)

Fix a Zhiyuan OA database problem

Analysis of arbitrary file reading vulnerability in a micro e-office collaborative management system CNVD-2022-07603

Arbitrary code Command Execution Vulnerability

Arbitrary file reading and vulnerability reproduction

Arbitrary file upload vulnerability (introduction)

An oa 11.10 does not authorize arbitrary file uploads

Vim and Neovim exposed to arbitrary code execution vulnerability

python deserialization vulnerability to arbitrary code execution

Penetration testing-arbitrary file download vulnerability

UFIDA NC Arbitrary File Upload Vulnerability Reproduced

Arbitrary file upload vulnerability in UEditor .Net version

Recommended

Ranking

#2019110700005

What materials and procedures are required for patent transfer

What is the blockchain Ethereum triplet state root transaction root receipt root

Front-end study notes 04 --- About the insertion of html pictures and videos

Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries

2017 Qingdao-site tournament I The Squared Mosquito Coil

[BZOJ3165][HEOI2013]Segment (line segment tree without marking)

Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju

The latest tutorial on making framework for iOS

DAX Section 6: Statistical Functions

Daily

More

2024-05-14(9)

2024-05-13(8)

2024-05-12(28)

2024-05-11(32)

2024-05-10(34)

2024-05-09(32)

2024-05-08(18)

2024-05-07(34)

2024-05-06(6)

2024-05-05(0)